ea8fac7c65fb589b0d53560f5251f74f9e9b243478dcb6b3ea79b5e36449c8d9

Resubmissions

29-10-2024 11:51

241029-n1k2cswmhk 10

29-10-2024 10:57

241029-m2ltlsvcql 6

Analysis

max time kernel
1681s
max time network
1685s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29-10-2024 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.html
Size

1KB
MD5

84238dfc8092e5d9c0dac8ef93371a07
SHA1

4a3ce8ee11e091dd7923f4d8c6e5b5e41ec7c047
SHA256

ea8fac7c65fb589b0d53560f5251f74f9e9b243478dcb6b3ea79b5e36449c8d9
SHA512

d06b93c883f8126a04589937a884032df031b05518eed9d433efb6447834df2596aebd500d69b8283e5702d988ed49655ae654c1683c7a4ae58bfa6b92f2b73a

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4672	msedge.exe
4672	msedge.exe
3944	msedge.exe
3944	msedge.exe
780	identity_helper.exe
780	identity_helper.exe
4876	msedge.exe
4876	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe
3944	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 1536	3944	msedge.exe	80
PID 3944 wrote to memory of 1536	3944	msedge.exe	80
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4332	3944	msedge.exe	81
PID 3944 wrote to memory of 4672	3944	msedge.exe	82
PID 3944 wrote to memory of 4672	3944	msedge.exe	82
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83
PID 3944 wrote to memory of 3100	3944	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff674b3cb8,0x7fff674b3cc8,0x7fff674b3cd8
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,16500807401916315345,13118043124219339024,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,16500807401916315345,13118043124219339024,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,16500807401916315345,13118043124219339024,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16500807401916315345,13118043124219339024,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16500807401916315345,13118043124219339024,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16500807401916315345,13118043124219339024,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16500807401916315345,13118043124219339024,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16500807401916315345,13118043124219339024,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,16500807401916315345,13118043124219339024,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,16500807401916315345,13118043124219339024,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,16500807401916315345,13118043124219339024,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,16500807401916315345,13118043124219339024,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4680 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7145ec3fa29a4f2df900d1418974538

SHA1
1368d579635ba1a53d7af0ed89bf0b001f149f9d

SHA256
efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59

SHA512
5bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d91478312beae099b8ed57e547611ba2

SHA1
4b927559aedbde267a6193e3e480fb18e75c43d7

SHA256
df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043

SHA512
4086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
71924736f83f795172a6f3396df12494

SHA1
8d9353997b0735c8e91fa45988b2113136397e0e

SHA256
5dc63e9b0d87ef7459d94d69232e31c73d9499ebf9fb4c95e75484bf49f45526

SHA512
2ed6205c17ab9a60655c2837c863574efdd1a69b6443c5510d8bf89cbf74bdec87922b832b378a6daf3ed664980b7945160dcccdc79417814457b9915b6c0ac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
10e2236fb09a215de8a0c7dcb141d92c

SHA1
7d867742293be1dd025a6b9524963a05f6003765

SHA256
1fc999b5c2a104c5c2760d5c42780e7865ddb6a7b5e2608adc10f8f6c18dff45

SHA512
d13dab6cac80e21cb22ca2391df4b4e46c1f1b97e323cbcba7c9dfcf4dff8c782dd0a86b8bd482b7ae7576189025f42857ff70566a9aaaaa528572ef77560890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
005dc19ad753b61ad51fbfcff00ae9af

SHA1
f0efabca417944f2dbecf43e2770bc86a78475d5

SHA256
3d0a6cb350c630393ba941617661b8df91d04a76d3e66ee289e549710b561ce5

SHA512
5d6b6cb3003bf8b7644db1b5875aff7e761d2c962dbb85d8151416fb98f05423c5952a3100844c5e3d3227490537fb43b080651dc332cd1ee99ab43d15827d92

Download Submit