779593a4610c15d6ee020ce2f7c282ad49f4704774ccd4466d6d39db44e24b04

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

securedoc_20240731T201503.html
Size

147KB
MD5

0949a6fb3f22f1540feb7aec3771c3ad
SHA1

e86ee703db0921e84f7a04c87df678c62fe01c89
SHA256

779593a4610c15d6ee020ce2f7c282ad49f4704774ccd4466d6d39db44e24b04
SHA512

cd8782e1435bea82ee8b12517533e02142ca879f2e955d457edf14f82b80d99ae7c3a6a46ed0e03ce70fa2a2be2a41e23dc98aec0d594e2d3077b54bcdae04b6
SSDEEP

3072:zjl/LQISQGjA4RPe1JYq2IHYONivQjv8oV:d/LQIGgJYq2IHYONivQjkw

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3940	msedge.exe
3940	msedge.exe
3808	msedge.exe
3808	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 5068	3808	msedge.exe	82
PID 3808 wrote to memory of 5068	3808	msedge.exe	82
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3668	3808	msedge.exe	84
PID 3808 wrote to memory of 3940	3808	msedge.exe	85
PID 3808 wrote to memory of 3940	3808	msedge.exe	85
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86
PID 3808 wrote to memory of 3864	3808	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\securedoc_20240731T201503.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b25146f8,0x7ff8b2514708,0x7ff8b2514718
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16938849167032859405,17460156027448866308,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,16938849167032859405,17460156027448866308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,16938849167032859405,17460156027448866308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16938849167032859405,17460156027448866308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16938849167032859405,17460156027448866308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16938849167032859405,17460156027448866308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16938849167032859405,17460156027448866308,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b55d2d2ff2a4d5d7eeaff5ebb96f3b4a

SHA1
12d94b9e84142b10d6347a2ff3b634a20f692c7a

SHA256
3d249eae36cfc3837b043e4b8df670724fee5657b302c77d488f1da3d835f776

SHA512
4dc2fe1eeaca5f9c91d548c70a44ffd12b806a385e22a3c5f724b6f749a15c9ccb3ac1a752c63225bd4d1d90f2b25d8004a15d3912ca6a3cb92fcba91248626f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94c981336abc388ca817dab46e7fc547

SHA1
2d0f8d89a31adb0aad5c599a195ff40ecf4b161f

SHA256
4d44efbb5447fedc3cb21311290fe6a9d0e5a0e682387a1a341bd214df820ef2

SHA512
f1c9c98f6642ea3b90c8667a4871d5a3b8c05eb0c50d5dc31e32704e0eeca1d33add414df485aced130523d6be824c48e37d0022b4d58db60006efe3e337fdbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9bb72be1-35b5-4177-b948-efc252bb2949.tmp

Filesize
6KB

MD5
c5deadfc1824ef1fe0e76a3e73a079a4

SHA1
f2bec46f88c8d3f0716a8daa1fd163e60c2c0379

SHA256
ebcdb96d84f76582c4fe3299f58538305886685f0331831b77cf5dea6a277853

SHA512
9a949fe8787fafc4e6451b245846b972c3dc74e2e39fd693ce12e5ca994c280d45101cc1122ef08d2589fc82364a22433a8483210262eab17ed0742810c16760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
534B

MD5
a98ed4ba22a3853dc0ea185b2364b7a0

SHA1
5ee085d246e895574a06ae91d3a1474d833c90bd

SHA256
fb10602f5ddf7e868ff7e9e8e7fab92359cc468700c0e14e9f583c3d8e5c2455

SHA512
3fa28b5634da39704d695abda7f68ef7e95552dc3d97b09378b59dd4c5433cc34a090ec01182c9700560e64f7d15e1cb782b307720e702b7e175da9153d93050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a1cdb786ad6fed4cdb450a7fdcc8adfb

SHA1
4cb7648b994c8c7601618c6e288e8e43c708892d

SHA256
7ce182373f4cb6996748587e229476d2783458e7da09b39132120f3c586a35b5

SHA512
32a6d0a1af67ef476999fc434bc317b8b691344a5a38b962b476192e09ff29ae30f8b16e090bca7795b2bd2931ed95181f1cfa034ec4906b359a5365ebcc885b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
88a389d93e9fbc71f47fc3149fb3ba7d

SHA1
d0a390247ab5cc7ec6ea950611cfe9e2ac6f1154

SHA256
652149fd7221f1ed643575c62c9d2f22de815190e574dbc2c0ff218f7b5436a2

SHA512
a05b6b5031cfc19adf1e33894f33729d866251147609be14a7b869b9ff02b4580915c2411047620e3da60beed60327667d1b0a178dfce4dd3b8a047865917a1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
ef8538b797a27829743e48f0d610b423

SHA1
45c20d3235a7c0fbd9b0bbbebec6ff27d9ab99a3

SHA256
c48f360aafdd64f1c8c43f535ca1c06dd46a09f153ec3ad1724df961cd600cca

SHA512
892db3e45f19c3b179ffff2d26e0bd5a0b9bbb857d7c4b88f499411f14c703dfea9586a86a11b6cf630dd65557d03aa62debe1a8784f7a08ce723847442e0405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
fb66ce15033355428ed158de538ea126

SHA1
cc8c5c1a490c9fa01e80336f901205b79fabf21e

SHA256
e263718d1f153d402e254064b3f167d5478592ea4b3802d051b3b68c965a14a6

SHA512
29dc7a25e7a2e313c5ffbade265b4ee17e4a6ceb326cc314d9521d8ab161a0bfd27102f24444f3232a87bd3a46df22082c93cf1dbc8a86a2454ba175ad3c110c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
c2ab337dbc4ae693388ddcccc9367eef

SHA1
aa124997103cc0c20d6af302989357d126a681a7

SHA256
f1407bae9a612454ca71aa01dafe2e8c7c23fff2de4f5782b08e0a1ed9d8ea21

SHA512
6a30c53ebadaf00b5dca6d0aeeb2b53f9b3cab83d555b3526c05230e8d77ec2ef1904212107b1018a36aa570bb0ad921e263dd82cae7f5cd50b019784a0c1949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58489d.TMP

Filesize
539B

MD5
127e629b4fb60f831d5b747e2ab2980e

SHA1
502de2170d67e48f7556f5fc072414a26956b7b2

SHA256
15dea0e22bf8861b822c9e60cf8afd10866134f927f0cf3f4915be78fd1d157d

SHA512
67b8bb381c25f0ae02c24e43a1b1b1c67034fa4b43a20ea08dd6132a3f3adfa2bd992a0106854380a82bb179d8b4e2a1995e606eac42170b3d06509e47342287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4d814370842487c1f81f3d79037847be

SHA1
59d7e8ff01794adf0c8c9c9a149dd9d56eff0750

SHA256
1fc9104245653115da93167854a6457e89f7dd1d3bd4838f9767c2d65cc742e2

SHA512
2f6604d1b23a23249987d42aab8dd0f6a245ebb075a52dfcf7d4667a2420b6e3fe863dcb13ad2d9249aac44d879ad665fa3371c8c999b79306cc71f9a6c3ea98

Download Submit