Analysis
-
max time kernel
480s -
max time network
484s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-11-2024 08:02
Static task
static1
Behavioral task
behavioral1
Sample
redirect.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
redirect.html
Resource
win11-20241007-en
General
-
Target
redirect.html
-
Size
6KB
-
MD5
714163d1a88da215b7dd9fb8143c2605
-
SHA1
008b1e292c3942192a4c2e0abc432775a39a49e2
-
SHA256
9afca0afcd89489efd32e234e102297ebcc1c2ba58441c66c9d3a21fc882ead6
-
SHA512
9d20134adfb5487c75d27746fd55c38d93ac55486142066964ad306a2c0be3e46122418cb58568c7b21cf5cd178675d98d634ab00fc590f6e7b7a8cac01b8a66
-
SSDEEP
192:dEHLxX7777/77QF7ByrK0Lod4BYCIksOqXeTn:dEr5HYJ0+CIksOqXi
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid Process 2528 msedge.exe 2528 msedge.exe 1784 msedge.exe 1784 msedge.exe 444 msedge.exe 444 msedge.exe 852 identity_helper.exe 852 identity_helper.exe 4776 msedge.exe 4776 msedge.exe 4776 msedge.exe 4776 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid Process 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid Process 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid Process 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 1784 wrote to memory of 1084 1784 msedge.exe 77 PID 1784 wrote to memory of 1084 1784 msedge.exe 77 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 4864 1784 msedge.exe 78 PID 1784 wrote to memory of 2528 1784 msedge.exe 79 PID 1784 wrote to memory of 2528 1784 msedge.exe 79 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80 PID 1784 wrote to memory of 2680 1784 msedge.exe 80
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\redirect.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff91ad43cb8,0x7ff91ad43cc8,0x7ff91ad43cd82⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,5883473280588165840,10619154564819875004,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:22⤵PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,5883473280588165840,10619154564819875004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,5883473280588165840,10619154564819875004,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:82⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5883473280588165840,10619154564819875004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:12⤵PID:3676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5883473280588165840,10619154564819875004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,5883473280588165840,10619154564819875004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,5883473280588165840,10619154564819875004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5883473280588165840,10619154564819875004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:12⤵PID:792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5883473280588165840,10619154564819875004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:12⤵PID:2212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5883473280588165840,10619154564819875004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2600 /prefetch:12⤵PID:1188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5883473280588165840,10619154564819875004,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵PID:648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,5883473280588165840,10619154564819875004,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3332 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4776
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1380
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:236
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fdee96b970080ef7f5bfa5964075575e
SHA12c821998dc2674d291bfa83a4df46814f0c29ab4
SHA256a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0
SHA51220875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff
-
Filesize
152B
MD546e6ad711a84b5dc7b30b75297d64875
SHA18ca343bfab1e2c04e67b9b16b8e06ba463b4f485
SHA25677b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f
SHA5128472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e
-
Filesize
394B
MD5e18def16a5bf6977b5af0ce0f2c8abfc
SHA15bf69060920a54531ffa8110450af7ac8e34ce9e
SHA25683fee37e5f5f7f3d480012a7e1e4e794c5f84838b318b629a2e800ab4599f634
SHA512869843d5189540ef68dba79389a5d9325d1bf07f76c521d9f28b331ae6ec5a960f8004ed9cdc3c4dc5e928eb31ac4cc5c83b8f6572d9ab91326c03cb98aadcaa
-
Filesize
5KB
MD519c9745243db31e148ea6da5b26f09ca
SHA1a15dba42d0c33f09f47c73bce43a706e45bda1a4
SHA256d17e3513be4d7990a8dfb5863d30a9c979ac53f8a6c312cb0ad90dcd79445d61
SHA51251e86fbce8cc92c1ee186224df242bb42c9d848ff4bebf196f4e569515bf0766639250b9a8b94239ada5d4bd157b61547af0837ccd6584db899c53e22de059a8
-
Filesize
5KB
MD5c11d14aeafcd9831a1978ceaa8edf6e8
SHA1c4f695f263629d00b8c12dfee9051421c85f13ba
SHA2569bcfaf80106773d8630bdd31d52768b0cd40d8ef8adc9b931dd3098f9d2b0b74
SHA5122dadf2915db929f5c744803b9414546fe668eb615c01d93fbe9adaf603351e0922e97e5e723680b944f13555e138c9b9a2336d1db8a475d754d6fff05129e945
-
Filesize
5KB
MD581664781983aace9454838ab45d0a7c6
SHA186ebcc3b3d601de890c73ff540cf1b4367a38a1a
SHA25679abf097d0514ed45a89f6e698b8d67ba517826841a470b6e498f32411652532
SHA51222eab1a68cadf92b4c5d525711e93f02a7d1bac59d1301afa455afd9ef8bbdcd77e068d3d67c558da3758048b093f4a6eec7f9651ebe6ae2984aee77d155b89a
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5a96f24a85a55f961f1cf0a23d7a5778b
SHA161acd4fc595cb7a2fb144f4c43af2668bf65c86b
SHA2563466432fdddc2b06f8360f768351ea7a293cb48efb33cd78e97ee8616d5ab49d
SHA51243b03878be6554d3f88acedc72d30923d72bafe903e78c87f91ebbe42b57c95fd262b5e7fac7a0ee67c3d4d6d2c4b6b881a35244219710d5f9ff1e785bce7af2
-
Filesize
10KB
MD5c2ee2eaee022f9afd223e7218ef89f02
SHA13511d3c1ae1db890e682de16a8e153a16dbae375
SHA2561ebfe2b816e606a8ddf789fd6157eb29501c7bf9b241d64186a6baa70de00128
SHA5125e9b79e1616fce16e372a67326e6c1c3e14ccb1b4a35bd1f989baa9df6c4b4562e55d761c25dfdba8ea0e769d48c53c9379560d20985dcb4e637c3958acdee63
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e