2a5cc3683757593d9275f86f6a12b7f4dbd0cfc93a919fa8c7b1a0c4cfc07375

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

213KB
MD5

27461f4dd141e67e395a2c7bb3c68ed0
SHA1

169b184da6212708dd7462f08b7867c525864bf4
SHA256

7573e668cf6d6d5912da3106f67d042950baf420abc7cb03d62f090262659771
SHA512

30fba84450ed8ba738a502eca08b799f4ff60aea27b59bdceed7bebbb99e83dbd0b12ef6737376d2e223b339bd89c7936ee503d6b79e5e24764a060cef6bfa2e
SSDEEP

3072:SgwO8RvoBBRyfkMY+BES09JXAnyrZalI+YQ:SgwEUsMYod+X3oI+YQ

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2120	msedge.exe
2120	msedge.exe
2964	msedge.exe
2964	msedge.exe
1732	msedge.exe
1732	msedge.exe
1732	msedge.exe
1732	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2964	msedge.exe
2964	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe
2964	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 880	2964	msedge.exe	82
PID 2964 wrote to memory of 880	2964	msedge.exe	82
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 892	2964	msedge.exe	83
PID 2964 wrote to memory of 2120	2964	msedge.exe	84
PID 2964 wrote to memory of 2120	2964	msedge.exe	84
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85
PID 2964 wrote to memory of 4268	2964	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a90f46f8,0x7ff9a90f4708,0x7ff9a90f4718
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,1575287763409524567,15656389241393146999,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,1575287763409524567,15656389241393146999,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,1575287763409524567,15656389241393146999,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1575287763409524567,15656389241393146999,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1575287763409524567,15656389241393146999,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,1575287763409524567,15656389241393146999,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8259e854ef6bdad3bd5c3a596ef7a253

SHA1
3a25422fa3a72bcf9dba873e768968310968a812

SHA256
1787f3c01ee830c4f9484b742715314fb74282fd8e9cd99f81494949ebc59e74

SHA512
bc634a9ee393ebf6e3ca4c811419a85a45e4d6ce8cffc18b78945f1cf2d1560aed1e7e861f922573536ef5eb083c0fa83dfa6acf9afe5f49b26e723a1024fe1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c460070d5f284c7ec8c0eecd55e4981

SHA1
81ec91a3b26aa629128d2e71f1287a570604a804

SHA256
2d2f827bb16af03c120f3100099687459adf19b1f67c369812ee1d59a3c4e467

SHA512
57f32123257698d4f696d2e86fc1d79f52b1577cd1f82271e879fd6baba50a6866d27691563aadf4cbc30ab5ecf6351e6a49058c63e1bf1d26c4d259330e863c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
82a4d5bdecc8e9a38e3a0fc544dcbaba

SHA1
4cc2b7797f78e2eea51548d84590068dbb9f96ea

SHA256
d5d005b51fadbde8a793d9bb02ee3ca918edad5c224972b77d49608e2fc45ceb

SHA512
0b080170ff47246123e2ed95e1361ddfc2cde2e26b02263c454f1260726f99e11cf429b3f3ea65d3bee0ea8ed0996abd838f5f345eff2aaa12d609352c981df4

Download Submit