e9c9c20894588809e8eea6e9d58a6956045bca78bba106ba11e98d3f198eca10

Analysis

max time kernel
95s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 18:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

keyran.html
Size

194KB
MD5

0878cbc713b3b72402904a3b4e9cd83c
SHA1

ffb31120b1ac8b8822ffec2edfca9f596f131c40
SHA256

e9c9c20894588809e8eea6e9d58a6956045bca78bba106ba11e98d3f198eca10
SHA512

dd07065aa380390e85b7b8c883c88ab148f16fe256661e99eef4e1beb5eb14a81106966c0076ee63a02f2d13ee81d8f266a2cfe7c5e71f7feeb047a141b66a02
SSDEEP

1536:9ns+D1kBKF20p7apKp/yU/y0jJQG/OE/1CYXffd9+Jan1oxRTvwDGo2IV8e4BwO9:Vs+D2TsbvdJfGgo/jS8si0C

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3620	msedge.exe
3620	msedge.exe
2532	msedge.exe
2532	msedge.exe
3504	identity_helper.exe
3504	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe
2532	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 4296	2532	msedge.exe	83
PID 2532 wrote to memory of 4296	2532	msedge.exe	83
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 4156	2532	msedge.exe	86
PID 2532 wrote to memory of 3620	2532	msedge.exe	87
PID 2532 wrote to memory of 3620	2532	msedge.exe	87
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88
PID 2532 wrote to memory of 2788	2532	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\keyran.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff07c146f8,0x7fff07c14708,0x7fff07c14718
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,1226067312021405563,7191923658234323484,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,1226067312021405563,7191923658234323484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,1226067312021405563,7191923658234323484,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,1226067312021405563,7191923658234323484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,1226067312021405563,7191923658234323484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,1226067312021405563,7191923658234323484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,1226067312021405563,7191923658234323484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,1226067312021405563,7191923658234323484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,1226067312021405563,7191923658234323484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,1226067312021405563,7191923658234323484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,1226067312021405563,7191923658234323484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:3636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3220

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
339B

MD5
173503b474bd35495ff4558750745acd

SHA1
76eccc9d5c7e83e03476a8248b67b750e46b9208

SHA256
1609615564babf9b5be0ae47cc125e0cbcd952e6239a89657123fd5d3446146b

SHA512
c6a715e1e602350ff195cb3aafeb414ec7d603e7991addf86a5bf7102f3c2a5b230dfd62abb65a40316df1c2b924653a0986a89bc2109768661d5f285c4ae1b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
746eb5786c4b0f8a95d5fd849ee30783

SHA1
999165515587b748c0fd39effed19f0f3349045a

SHA256
a2b233c77e7da0ad841b54fffd136c0894b686b7dfcc95ca791f95023cfe462d

SHA512
54f63818885dc7036de7639382a2c168867d15a976ed46d263ec90747541f37eb596290cf03be46e3035766275fc39ba9de78143c37eaf73a074020897de122c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f21d733438ba75388f526fe70ed80b3

SHA1
369dbabbe74c2715b04490c26790bde85bbd0889

SHA256
15e4c7c67bf32544920276d18bd8b71a03fe2c8cf778425882fd921e48b25d76

SHA512
9a265a5e3e1e93723d26aa31b42e99aa76349933aaeb725fa69192a90c5e9f18f8abc09360aafd10e3ae8786a91f5672b1d6af591b8069384e402a1d1646eded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d6b44a1c41cd1fd1cdbe9998221a3c42

SHA1
7bce34dd84a10fbf6a81894bb97a24c869272423

SHA256
6dbc9e33eb03d8be3012bcbb7956479aeafa093d946da3238db400c29d98abf3

SHA512
68425ee40409f906fdc26d78a2dd482ec8c38b8e71d2acfc42849766bc316ad3709f25b29535691a5494a06038c15975e179f12d00310bd098f6460b3d50fbfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
03b6cb861e35fdf386f5812bc6c3ce83

SHA1
38e15db7768459baf70ca4e1411aaf8cdbe47876

SHA256
e6283a9bafaf653a684f803d737deff776b4d0d127d21c25c6f573115976a936

SHA512
1cdff5d842e1c8a4f49eb64093d5a281b5fbd5d4afa6b77ac82b5bb66c78f8d85b89a2f29533e5984d49650b9e69f98026fc9b9242f24a6d05a83cc4fc17d9cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582e20.TMP

Filesize
372B

MD5
1222189a6b6d5d6f24c0f5e0d2a21d84

SHA1
c44e8250990d8e5e47a6a52a13ec70030c10b1e5

SHA256
e4e67eda708ed4add82ca943345f077006e69697208ee79c1c1945c33b89ea86

SHA512
deac363b7f08516e87654c712e417a7beacee4dd8511a2a7c8075f09781f8bf96c9137bf6915168c8c315d784191237af69de450b5d9314def415e503ee47284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ae1ab61040b8944d4a4da980b25b5ee8

SHA1
f30226f7b9d1da7f6b6c5183eae2120f27876c10

SHA256
7dd47f25bf636e7569ce0142a540662d2cfcce95207ad05f02ca864326e9741d

SHA512
d205b1cd9a5574f6586dd6b07e2ca28f7f56570011da5334f8b1545cad9698c3e1e4b8c5d797fa66297415687713a6100f4a44200d7b6739d6aeafd1414751e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7f32e197516b4b9f4995f23fcab8d066

SHA1
9bdb2d2fe32895f852b623cdc2cd15e0555c63a4

SHA256
1bb54fd2a82fbf27d2937d5e32a5bddd0901df534a6cc00f0502c17c9c369a2a

SHA512
562ba68d28b41dd9e2fc79885db685083566cc8d026eb1758b625c496c12eae69c061432176563ec5907fdde6e8d5f8d6f8e25f0d0718a0a1a036d9c030f2573

Download Submit