Resubmissions
03-12-2024 17:14
241203-vr8jmavmew 503-12-2024 15:36
241203-s1396a1mev 503-12-2024 15:34
241203-szv76a1max 3Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-12-2024 17:14
Static task
static1
Behavioral task
behavioral1
Sample
phish_alert_whitefish_muncipal_12032024.eml
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
phish_alert_whitefish_muncipal_12032024.eml
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
email-html-2.html
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
email-html-2.html
Resource
win11-20241023-en
Behavioral task
behavioral5
Sample
email-plain-1.txt
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral6
Sample
email-plain-1.txt
Resource
win11-20241007-en
General
-
Target
email-html-2.html
-
Size
35KB
-
MD5
934dd8392db040eed96733e99ed7cdc7
-
SHA1
9ef1edd1a03e11ed99bd47614fe33a56df5eb8c2
-
SHA256
7a5f6aa0bd3ebf37dfba1f96a5d5bd5fac4a4e86b49c204b013688892dc48fa5
-
SHA512
4ed9697d12f213659ef6d4a1e120582b8daa489aec7d437ff061f27a65427bcc185e102720a0049a4c47c4d314e08edb39e33bc97f6de0fc14322c44feb1a39a
-
SSDEEP
192:LqI1jBg4+Nk5lqE7OQzlHUan0ePN6O6vQ686sk2mkUI/io03FdYY0TXxnNMQaUDS:0Tkpgxjg9jrZm+VPEmdZEAZQw6
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 276 msedge.exe 276 msedge.exe 2480 msedge.exe 2480 msedge.exe 1992 identity_helper.exe 1992 identity_helper.exe 1604 msedge.exe 1604 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe 2480 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2480 wrote to memory of 4128 2480 msedge.exe 79 PID 2480 wrote to memory of 4128 2480 msedge.exe 79 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 3484 2480 msedge.exe 80 PID 2480 wrote to memory of 276 2480 msedge.exe 81 PID 2480 wrote to memory of 276 2480 msedge.exe 81 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82 PID 2480 wrote to memory of 3604 2480 msedge.exe 82
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\email-html-2.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff79823cb8,0x7fff79823cc8,0x7fff79823cd82⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,16850247096724109664,16658107226217376968,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:22⤵PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,16850247096724109664,16658107226217376968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,16850247096724109664,16658107226217376968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:82⤵PID:3604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16850247096724109664,16658107226217376968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:12⤵PID:2636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16850247096724109664,16658107226217376968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:12⤵PID:1552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,16850247096724109664,16658107226217376968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,16850247096724109664,16658107226217376968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16850247096724109664,16658107226217376968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16850247096724109664,16658107226217376968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵PID:1076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16850247096724109664,16658107226217376968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,16850247096724109664,16658107226217376968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,16850247096724109664,16658107226217376968,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4864 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1820
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD55431d6602455a6db6e087223dd47f600
SHA127255756dfecd4e0afe4f1185e7708a3d07dea6e
SHA2567502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763
SHA512868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829
-
Filesize
152B
MD57bed1eca5620a49f52232fd55246d09a
SHA1e429d9d401099a1917a6fb31ab2cf65fcee22030
SHA25649c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e
SHA512afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8
-
Filesize
334B
MD59e1e8d1d2fec376138c5d4d4f90ed19f
SHA129a382826412d29b848126055d718c368c6bd20e
SHA256a091556854d3c0f3258f46c0ca8bc96159a31b3922010066facd18b0c4f00c22
SHA512785f85a15437c570ace9d3d4109c2d71dfe361a352588d8dd19b5ca1f2a45bfaf04a412bf8bc89f711b08805da2ae5906ae24f0aae4f07ae03585f0b778fa00a
-
Filesize
5KB
MD5e7dc519403f0de3f23d0a8f846f21706
SHA1d673d016bdaece985bc4a69b030ef777f969b724
SHA256f561116bda88b1fad9a04b1c6a6367bc6ac3db2b497fd92a0076f338a58b359b
SHA51227b978c88112b737c88187d8f59d82416cfebdbead9db501f43770182282140050618c6f3cff5999a302e4ca2623d9bff0ad791218427b457825d8b8a6423df2
-
Filesize
5KB
MD5b645e828c414d94d1aad96d18cd84bf5
SHA1d3e5f598f6f997822dbdd186b449387dcf70ce2a
SHA256655796cc361e6a67847495808676c81557987df6688d4916070caa65f16153de
SHA512bf7e4734838b5b04f0f930bed56395b3b977279f5631ace7540ff2f663e67f4e1fbd61aa489352aced0cabe8da74aa778ee3b3e60d82a44cdd54a44b948dddd4
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD5f1c813822a902df0ad0319edb84ed33a
SHA131c150fbfc78797be9c80cff5755aedeffbb8c00
SHA256ee2577f9ec90660b5845eda5af6d204cd98444746f11bc57b79fe40bacda6569
SHA512d56f93166a498f69adc0992dd41e6155c1a20cd358f93b14e66133b0d14fc92de6ff57e701cf50384a7f46a413b6e3a2331939aa1e9f7cf839b67cd3cb613862