d874da6363d4d7ce15ca859f35491098fa8cb59204347fb01d315f6cd91fa468

Analysis

max time kernel
121s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

asset/admin/yemian.html
Size

893B
MD5

41d20eac40de165e3df5009b6c5b6a7c
SHA1

79003c2b5606a315ed1e82f8f28bb8a6da594339
SHA256

5a3280ba8d3abc23b4a4c6b19b457fc7fd75e10a906b988b78636090bff73849
SHA512

720f8cff00c011c6a201450c5d10dd242b8392ec032550de570a54c8d71994ab1e2dd195b049337749a2aaae5d8bf1e5398d9b7c113f132d9960422b6eda2ff2

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

4428 msedge.exe
4428 msedge.exe
3692 msedge.exe
3692 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

3692 msedge.exe
3692 msedge.exe

pid	process
4428	msedge.exe
4428	msedge.exe
3692	msedge.exe
3692	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3692 wrote to memory of 1224	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 1224	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 3180	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4428	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4428	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe
PID 3692 wrote to memory of 4276	3692	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\asset\admin\yemian.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff26ec46f8,0x7fff26ec4708,0x7fff26ec4718
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,18269108078434477760,12365863047248798442,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,18269108078434477760,12365863047248798442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,18269108078434477760,12365863047248798442,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18269108078434477760,12365863047248798442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18269108078434477760,12365863047248798442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,18269108078434477760,12365863047248798442,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:2084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
11dc5e2415378856233d6919aaa82c77

SHA1
9f55ee9ff5dadc7af72543312bf4a5a2214a9cd8

SHA256
7c7e4f6f6f59011c1ac930635a17a1e0525c6dd84127b718e63c8ea052555092

SHA512
ce5c42a99686ca584dc71c4c7bff88081bfb30009b38f1a1a4aa064f9a5138c1c6f8926a5e1b02c1229d3da0e6521a32a3f9a04e05bd8502a23114c215c6f989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9388eaeea8c820fc4d97d4caa49f45b5

SHA1
88420c8bde3e5a1e2225c7edc901bd6d8b68660a

SHA256
7f4c49e1f813cbf1271fa504df527b1892e6f0e6ae8b836a257957baa40bbe2c

SHA512
a5d6cff47dd05cde2d5278c8f4df1d155928569cfa483ad3abf47d535ecf5ccdb701e5a57e41c08b79d25842f72245b63a797c28db6eba1fa7d546a2145ce15f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3e36b94ecc94f2f27e087b193b32d10c

SHA1
b7f7fe248e500be8432a1d3846d169cabd5dca68

SHA256
b69027042fcd6aa888d6758d8412e05c8ad9c48da1f545547dc4ce72ef6b8c22

SHA512
aa5b45373b843c16e42ba299277b0eb21e296e29e216b9611b19eee9cd4b0e85cec018588ce4c17987588651d79e59e4cfe0f8dc25210c71453d5f4c4cfb0ca8

Download Submit
\??\pipe\LOCAL\crashpad_3692_QVUFVIBNTZEQOBXA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit