Analysis
-
max time kernel
146s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2024 19:09
Static task
static1
Behavioral task
behavioral1
Sample
wMbcG2FDJSm1e3aCdNo7urLY8q71J4oiE1PjQ1A2.html
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
wMbcG2FDJSm1e3aCdNo7urLY8q71J4oiE1PjQ1A2.html
Resource
win10v2004-20240802-en
General
-
Target
wMbcG2FDJSm1e3aCdNo7urLY8q71J4oiE1PjQ1A2.html
-
Size
146B
-
MD5
9fe3cb2b7313dc79bb477bc8fde184a7
-
SHA1
4d7b3cb41e90618358d0ee066c45c76227a13747
-
SHA256
32f2fa940d4b4fe19aca1e53a24e5aac29c57b7c5ee78588325b87f1b649c864
-
SHA512
c54ad4f5292784e50b4830a8210b0d4d4ee08b803f4975c9859e637d483b3af38cb0436ac501dea0c73867b1a2c41b39ef2c27dc3fb20f3f27519b719ea743db
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3452 msedge.exe 3452 msedge.exe 5088 msedge.exe 5088 msedge.exe 3008 identity_helper.exe 3008 identity_helper.exe 2232 msedge.exe 2232 msedge.exe 2232 msedge.exe 2232 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 5088 wrote to memory of 2648 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 2648 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3488 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3452 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 3452 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe PID 5088 wrote to memory of 1344 5088 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\wMbcG2FDJSm1e3aCdNo7urLY8q71J4oiE1PjQ1A2.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff849ee46f8,0x7ff849ee4708,0x7ff849ee47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1455010679480202930,3271154303941430585,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1455010679480202930,3271154303941430585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,1455010679480202930,3271154303941430585,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1455010679480202930,3271154303941430585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1455010679480202930,3271154303941430585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1455010679480202930,3271154303941430585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,1455010679480202930,3271154303941430585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1455010679480202930,3271154303941430585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1455010679480202930,3271154303941430585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1455010679480202930,3271154303941430585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,1455010679480202930,3271154303941430585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1455010679480202930,3271154303941430585,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a31ebe95e12f1f5ba558646b90606cf0
SHA137b699d4250e008f194baf0b64f161b404ba77c6
SHA256fc7190f57965cadf57845322dd09cbbd855ab7909b1d534be0325da58916e657
SHA512ff3972b80aac04f15efdbf0d850080fa59a9ecea2a635ac3307efb5c24424a0bfbca1b5f6214edb679e1c624cf5dd3aa5e7302dea0cb927a1a4684ffa0bafe03
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56be7787599100773dc02d242435eb271
SHA171e0ce503d25630ea5f12202a90a4b02bfd5b1b6
SHA256831acc9b267475a0754575572eeb22fe08b9660ae910f2d62b5c53054fef9d4a
SHA5123850a9166187eeb37feae4d23365739e744dee7305673ac698467d6cb3175342c95b9a103f6ff8be64adb64e62a4669ed66e3c42ca77115717fa429bd0b8b9b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD51a02be9abaf6654709cf4a067db826d0
SHA18be4b01c6ba612b0561e33d394629f71cacea0dc
SHA256ef1b6efe3944c88b68bd0ef8e8abdf8f002bed75f53b2f8d0bd17c4d21104e0a
SHA512fc30024557828b812ff28a1146a8f286e9f20d80671f601ce586f387a642859bbc6734782207055794ceb40c5de60ee91bd77dc4fe67168e5480bd804c43ec21
-
\??\pipe\LOCAL\crashpad_5088_WQHGOTRCWDBXSQHLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e