e9b48ffc3197d034421ed81c4a5af3b0f50709ace151e79f1517d81854eb56fa

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

213KB
MD5

358722f28cfa023c5e0faff574b3c460
SHA1

37bb653b8ea2986eff8cf1bdedefa30b97a0aacd
SHA256

9ab42d8fac9cb1bcc702e6d46f1bed5572f04d062f6257fa8bc1af70c357ef22
SHA512

4bfbd881862ba4a3cb3bfd41757664fe9ff60c0969b12d1ef5d3713c20c3b61fc148f525af889b715c4a2de1c4fc1fdc042f872eaa0ffe0c29aafc975e4ef3aa
SSDEEP

3072:SXcd06iOYyBYiyfkMY+BES09JXAnyrZalI+YQ:SXoiRTnsMYod+X3oI+YQ

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3500	msedge.exe
3500	msedge.exe
2948	msedge.exe
2948	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2948	msedge.exe
2948	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 1972	2948	msedge.exe	82
PID 2948 wrote to memory of 1972	2948	msedge.exe	82
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3428	2948	msedge.exe	83
PID 2948 wrote to memory of 3500	2948	msedge.exe	84
PID 2948 wrote to memory of 3500	2948	msedge.exe	84
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85
PID 2948 wrote to memory of 4560	2948	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff379446f8,0x7fff37944708,0x7fff37944718
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6325341048215716614,12991512084180702924,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,6325341048215716614,12991512084180702924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,6325341048215716614,12991512084180702924,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6325341048215716614,12991512084180702924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,6325341048215716614,12991512084180702924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6325341048215716614,12991512084180702924,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5016 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7e99dc196a12e9bf10996f3f97c06e43

SHA1
c3a18f87ba1b5f9ee4befc82b964525aeec9b138

SHA256
45f8dc0d3b548f43f9eb2c37b89297c6eca21a211ebc725085a2615447b50f2e

SHA512
b612393c31339e2c1f3912c8432cba00424f112314bdc9885bfb71e7d3b0b0a731aa8d9f155305eb62d6777cd1516b9d5dbc119cfb8c363efb233ad42ab27562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
96a6f0f22fe2ddf32b6329ed66ba4a53

SHA1
54ec8aacc47e6637ea2354bc6f057ac6e21e7f50

SHA256
38992e233205be810b1d99173fae290a3abbe0e7988c8430a35539f9988b65e2

SHA512
1586a79280717e7f51ae60f7dd2dd4b9fdf760536132716ddffed5ff16e7afe5ecb978b971ed307c1891372c37ce3983d5f036e0cdd5d687179d93de80e2b517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8ed21d5a9c0759a0191bd2f63d160ea8

SHA1
38da0b9c5e5f34999e8704e9aae78f9add3d593a

SHA256
1ba70f780bd047ee9af93e363d988092e30a20e3a4fbd282e79d26fdc9996ee3

SHA512
02777da03815cd5cfa461e708109cf10b0c78f3fc44e76c14d17a306ec2ffc090c150976f4910d3dfa9305c2cdbc37e67cd6857129ade27d1656bae479388bda

Download Submit