253fbc1ad3099ffdd2391d7e39eb6ad4b19faa0e1d42eb585896562f35e37cc3

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

subtext.html
Size

9KB
MD5

e2587fd2c779b5167d985aed0c6658cd
SHA1

524ea462f1e8cbc6b1990eb243a6b4cb5018f662
SHA256

253fbc1ad3099ffdd2391d7e39eb6ad4b19faa0e1d42eb585896562f35e37cc3
SHA512

abfa7479069aaae002707e06a589f329cbe7ff7518de5fce203b1b8185b5b01ea369977a8310a36f50836e73290deb36700553521cd378ff94104ee0409e96a1
SSDEEP

96:a8nSUsZhHetA54x6eeJQmVQc2Aocsb0bpzb0bDyYeBrpH2dWn+HLS1j:a8SUOh7n5VQHjN0VH0/yYurp2QnGLSF

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4108	msedge.exe
4108	msedge.exe
3816	identity_helper.exe
3816	identity_helper.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe
5936	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 2912	4108	msedge.exe	84
PID 4108 wrote to memory of 2912	4108	msedge.exe	84
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 820	4108	msedge.exe	85
PID 4108 wrote to memory of 4908	4108	msedge.exe	86
PID 4108 wrote to memory of 4908	4108	msedge.exe	86
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87
PID 4108 wrote to memory of 1628	4108	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\subtext.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0d1146f8,0x7ffc0d114708,0x7ffc0d114718
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15734341956968856281,7349798086101508556,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,15734341956968856281,7349798086101508556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,15734341956968856281,7349798086101508556,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15734341956968856281,7349798086101508556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15734341956968856281,7349798086101508556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15734341956968856281,7349798086101508556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15734341956968856281,7349798086101508556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15734341956968856281,7349798086101508556,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15734341956968856281,7349798086101508556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15734341956968856281,7349798086101508556,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15734341956968856281,7349798086101508556,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15734341956968856281,7349798086101508556,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15734341956968856281,7349798086101508556,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3064 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f9d180c0bcf71b48e7bc8302f85c28f

SHA1
ade94a8e51c446383dc0a45edf5aad5fa20edf3c

SHA256
a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc

SHA512
282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60ead4145eb78b972baf6c6270ae6d72

SHA1
e71f4507bea5b518d9ee9fb2d523c5a11adea842

SHA256
b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7

SHA512
8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
575d2f7604453fbaed2a2e980ed56f34

SHA1
095e6f88e39cf98837e8d8ce0f376bbfe14bbd87

SHA256
04298ace0f7b38305db61540e0684b910cfbb23bda147232a289790d3ab294c4

SHA512
d2f8affd087af7eb776864f596feac0b249a03c2453018a60b85dfee27672cd53bae3149dd728ebc9a21e6d6552185899f48f437f098624e52ffacd6ef600b9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1878d7c73f5be25ced24e8dd7a7aa2bb

SHA1
a06eaa08ee847514e5f4bdb0f6656efc6593fb8d

SHA256
e58632b5492eec803dd40e0a0c5b765fab5f5cc35c309b0fbe2dabe598b8d76b

SHA512
e26b5042105f619a13c2d2963364f8afef17c90474edb72179275def4090ec372e5405261a9a01add3b7b90c601b91c0f623d7c466dfa9985cf8b316a3af5e15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
347f2873ed1cbd3f34050e6b8fa73c84

SHA1
a84bae5f815f08479bb8f726e69fb24a8eb10742

SHA256
9cdf8cbd902ec9f1ffd2726fe35c33f8c10be20764ebbacdd9da432e39e7cb9a

SHA512
4d7cca7fa2de4459a9ff3557573bcab91535d73d40e836630cf974b7b61cc42f0ebcc710b8973fdf64bce3fd8bd9db34dfdf33a76538555e9879359b135c40dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
31c1110cc1912e3d7d6f52dbb7bed629

SHA1
bae82530d06542356aa7130102e87c62996f7141

SHA256
84dd899e6e599588d62a377037cc5570f9dd921dcdc95ff01f6a4c34b6adedd7

SHA512
1463313125f12c1a18c4b1acc68e8bfbaecf561aa728ff47c1b99fc665fba3327ee71e3845a73f15f7b0106afe77d05dce9d7fd679babb924f1507cd18d46f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9b49241d93b50064a7dd06c64cedc63d

SHA1
7073e8c0be1a7897a1c2b1864770c82a799b05e9

SHA256
cf93b6aecb322feb1fa17ea1b63e396f9d66a7ac9f6f0f6c92ba63246c688d98

SHA512
affe14d6df725e08f9b0203d482356944bc7dde0b64d0429b1e33e1de4a3f2ced9c190bc6b7d13e92042911ced8d30960de944c65a8fbf7a40220323e4af4918

Download Submit