5e0e25a5a67fd667901c4699512a3a517085510359bc22084f56d325b036e9b0

Analysis

max time kernel
112s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e0e25a5a67fd667901c4699512a3a517085510359bc22084f56d325b036e9b0N.html
Size

93KB
MD5

db80c8a68b0c3126a689170781eceb10
SHA1

11cf0ed49f73e594c2acc5e94011e110ad9443c4
SHA256

5e0e25a5a67fd667901c4699512a3a517085510359bc22084f56d325b036e9b0
SHA512

f0d44b86f697cd6ff9b77e0663ec7694e38c5f6a896d9045911f11fc9945aa5412807b3b375de9081ee239de7c6d0d0c5404fe4e52937b3a1ac312f4814e4e19
SSDEEP

1536:GyVIYSKpO8dActQIVEAcjeNGBMeAcKAc2fm6lIJxgDK+bVmqTQrtey5y7dOzHrZQ:okAcjyAcFjAcKAcd6lIJxj+beteyIYza

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
5080	msedge.exe
5080	msedge.exe
1468	identity_helper.exe
1468	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4472	5080	msedge.exe	83
PID 5080 wrote to memory of 4472	5080	msedge.exe	83
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 3392	5080	msedge.exe	84
PID 5080 wrote to memory of 2564	5080	msedge.exe	85
PID 5080 wrote to memory of 2564	5080	msedge.exe	85
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86
PID 5080 wrote to memory of 228	5080	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\5e0e25a5a67fd667901c4699512a3a517085510359bc22084f56d325b036e9b0N.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4cd146f8,0x7fff4cd14708,0x7fff4cd14718
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2718177451026489787,4338406215325987450,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,2718177451026489787,4338406215325987450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,2718177451026489787,4338406215325987450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2718177451026489787,4338406215325987450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2718177451026489787,4338406215325987450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2718177451026489787,4338406215325987450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2718177451026489787,4338406215325987450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2718177451026489787,4338406215325987450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2718177451026489787,4338406215325987450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2718177451026489787,4338406215325987450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2718177451026489787,4338406215325987450,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2718177451026489787,4338406215325987450,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2718177451026489787,4338406215325987450,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:2328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
d7b10115fb4b9600cd96af3c2ecc431c

SHA1
aab03848bb0540226af6f0ea0e35e009a950cc2e

SHA256
15f20aa44d9c234470b196053c606d5891d14ad646c949fcce4bff95a6a15dd3

SHA512
280325076f28a638e43cbf98d707c3aeed6267dfa397062c6af0958582ad5d6f29207ead1b9207bd250b67902cd8df74dc92be6b5c7a39920b83db745f2453b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
688ae465fc0bfe7a1fa46046dd4026bf

SHA1
5de0f037082669ffc51db16e65e0e59f29fecf22

SHA256
4a64fe94dbb8fa44beac0bc068427ed00c63e5911c2fd23049626519c97830ba

SHA512
095253b998d488415b0ac8b16176ce9a1be4d6816cdd3280e9b8a00abcbe8cb4af90467d59c8e02e98d1e9db9e0b8a04a8dc73eb3d9695a40b7114fa47e92d30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bd2580d54c6dcf2c584f3b366dc4bdfb

SHA1
bb8ac65bc935b25e2df0ad0a5bc25c0c83f2742a

SHA256
386c3de52ef85c5bc7b6217a661d8f3bb8fcef0083dcfa66385cb0756017737a

SHA512
ec44ee82b1149563bd927602df43d2c2c404f3af64d2ebcdf718bfaf29fdd48909aa01d426dbac80899c0b8dba801285139139ca0ec5a82d049c64b5d0a38d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f4e0b3f76231304e1e5112e38336ed04

SHA1
50377414c156c22d7791a66ff6779bdb49180d75

SHA256
f5b7323bea269bf2765340b5122fe5b811ff11456f394aa800baad2b06563830

SHA512
76e417fdcd85d5d8fbfa08cfb8cd4abf4253159a1f23ac294bedeb6a2efedea12b0d9b060e066b9626c46a571a0e1fe56cb8f4dfe75b66278c48def0850eeb49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e99397a8dbcd7ed40dbac14c1ff13515

SHA1
f71981030127a3c6b0ed501d12a5debfe1c6a282

SHA256
3d3b8536b2937898e7a7506fb559068255d99514d97e841fbe725b44fc9107b8

SHA512
f816952a135236bb18739aaf7d5f14710bc1cc24a758b7670ea097372c27a29228ae1f3ea217fe2a18fdd9f0325f9a6e154633d5699ea92f8c190b286c7addde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a85b29a87d148188c59d66197db78473

SHA1
e86d1598ed70361136c9b639ef0a70d55eea25f9

SHA256
eb4f43e57250b0ad803c3218fc7611ddf08974e68be7e9c5b48e1db17f7533ba

SHA512
796dbec7e45ed90f0f67bb157959d683f4142155ade799408b0222994bf41122c6bf4948bd55bba53c882236fd8f71a36dbce53d2c79b981c0e99859127d9083

Download Submit