Analysis
-
max time kernel
50s -
max time network
47s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 14:45
Static task
static1
Behavioral task
behavioral1
Sample
PaFRXh6fDu4UDCXB8RrCMW2uvSIr3RWnUfxVvUHC.html
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
PaFRXh6fDu4UDCXB8RrCMW2uvSIr3RWnUfxVvUHC.html
Resource
win10v2004-20240802-en
General
-
Target
PaFRXh6fDu4UDCXB8RrCMW2uvSIr3RWnUfxVvUHC.html
-
Size
146B
-
MD5
9fe3cb2b7313dc79bb477bc8fde184a7
-
SHA1
4d7b3cb41e90618358d0ee066c45c76227a13747
-
SHA256
32f2fa940d4b4fe19aca1e53a24e5aac29c57b7c5ee78588325b87f1b649c864
-
SHA512
c54ad4f5292784e50b4830a8210b0d4d4ee08b803f4975c9859e637d483b3af38cb0436ac501dea0c73867b1a2c41b39ef2c27dc3fb20f3f27519b719ea743db
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 4872 msedge.exe 4872 msedge.exe 4216 msedge.exe 4216 msedge.exe 4232 identity_helper.exe 4232 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe 4216 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4216 wrote to memory of 1900 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 1900 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 344 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4872 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4872 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe PID 4216 wrote to memory of 4860 4216 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\PaFRXh6fDu4UDCXB8RrCMW2uvSIr3RWnUfxVvUHC.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8540646f8,0x7ff854064708,0x7ff8540647182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,9280074096980485545,8259546817660286523,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,9280074096980485545,8259546817660286523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,9280074096980485545,8259546817660286523,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9280074096980485545,8259546817660286523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9280074096980485545,8259546817660286523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,9280074096980485545,8259546817660286523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,9280074096980485545,8259546817660286523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9280074096980485545,8259546817660286523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9280074096980485545,8259546817660286523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9280074096980485545,8259546817660286523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9280074096980485545,8259546817660286523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59e3fc58a8fb86c93d19e1500b873ef6f
SHA1c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD527304926d60324abe74d7a4b571c35ea
SHA178b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA2567039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59a84110b9825ce430797a19fe5d4debf
SHA1f421320421d1b3d21c5a6cf44d52dba78c71b670
SHA256025cc8bd7e0caac04e47c4abf465500c46f13eefa06bcb4c8ba71caa78a7e4bc
SHA512c240734ac842ae2e35c46f559f4be1d65a1c344b11c8710ad33d8c79200903e06f55d3e3789e166e3439d1da10ddd7609789d7d708207b7e058531e351e564fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b5da846f-c580-4953-b043-179a7ebad7c5.tmpFilesize
6KB
MD5298ddd2636b28f9589f42477f3455be9
SHA1f733b51431b6c98cfdb20211d9c1da8fd69fbc7d
SHA2568cd298e8cd033ef27cc892adbf246c94055330ce316aebf94e3ff80b1ea4f217
SHA512b4085f810a30309a9ee7f28a9713ca712f72cc4a35608736b66217e20f79265e02dbd71564014ccdb6a0b5eccdd2f17e530bfddf5cc94fe4a0058ed0743db83b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58eb8f57508b297255c115413ce5afab4
SHA1190741b9253b649371fdba965bdd4ba02804f14b
SHA256434b33d889477b9f5167bbdaa5901636df2cbd85f5073604ab8016489478c64b
SHA51236c51a11d4cb9dd44efa27fe9fef5807624b54a190a783479e100491ba52928464c454d20b7d1915752694fc4a0b3105a838ae963ee4e5c289e3af6d919118a9
-
\??\pipe\LOCAL\crashpad_4216_CAWIGJWOTDIZLMEXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e