hxxps://travel-al[.]com/32728/327282635477

Analysis

max time kernel
73s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://travel-al.com/32728/327282635477

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4684	msedge.exe
4684	msedge.exe
228	msedge.exe
228	msedge.exe
4808	identity_helper.exe
4808	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2120	228	msedge.exe	83
PID 228 wrote to memory of 2120	228	msedge.exe	83
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4084	228	msedge.exe	84
PID 228 wrote to memory of 4684	228	msedge.exe	85
PID 228 wrote to memory of 4684	228	msedge.exe	85
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86
PID 228 wrote to memory of 1588	228	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://travel-al.com/32728/327282635477
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb63e646f8,0x7ffb63e64708,0x7ffb63e64718
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,168674942109467763,15885759753651903433,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,168674942109467763,15885759753651903433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,168674942109467763,15885759753651903433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,168674942109467763,15885759753651903433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,168674942109467763,15885759753651903433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,168674942109467763,15885759753651903433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,168674942109467763,15885759753651903433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,168674942109467763,15885759753651903433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,168674942109467763,15885759753651903433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2268 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,168674942109467763,15885759753651903433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,168674942109467763,15885759753651903433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1752 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,168674942109467763,15885759753651903433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1696 /prefetch:1
  2⤵
  PID:1700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3590c7788f1f36717cbd298007259a6f

SHA1
9e9a602016435a1d642e18a54d8d6589f938a5bb

SHA256
09a08de2fcd19e304c3b8f6e04f5e4da257a3f18759827be4e9c6af862412174

SHA512
07df3ee7e2d4a313c996c6b8451450556a75e5ac8e4d10595f255164fdd25d6bc596ad579d90f6496c78a15a3c6fc349d748dd7c5f4b2b51d330c52577e2988a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
180KB

MD5
497835d373e12af4cd257487dd5d3612

SHA1
425950e9427926ac0aa7940c4a18a44ab59df47a

SHA256
e11ff08dff0a884b311133e2469146b2a54319cf60094511e098df0c3677c4e0

SHA512
aa05611f56185e02289345f9c286ca98f96d5e1d24c8d152605e866e60013dc2945fc60f826e81459003ca9c2b7d439c0f6fdd173cbee57cd751ee51b18d2bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
a0a61f5da79a285dc32c80c8b7122b57

SHA1
e3dbba680b42978b82f0edf5f9046a818b26f267

SHA256
d66df0dbc90e69d08c5ebd81d807af1f756a9741109bb25b36c0022bad1cfd05

SHA512
429be904b66425a538921e6cada4b5cf698d54f6387f6ca708d6b6296cd4d1b058d76a2587f6886035eeb7b7e8a9e365c1445e591b34df297e3c519fd29b77e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3c65217b95739cedef77d21b6678990e

SHA1
07563e2648306bf21a297777a13e8a1a09222217

SHA256
7ab4dd5d9b41db4c17a14eb669f9f0e080c8fe30eed6229e9b940687f52ed30c

SHA512
e7cb27b97321e06992bc14a7288a08b78ba3c600f078d3556753341b24b0f5e310dd72da517b3710187965729b212c2e1f263f138ef3d18c7a1681b400806cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7d3b0822627659476e57728cea077306

SHA1
b1147ce248c2b94a49dcf22c3d91ca85e4c2d172

SHA256
8f8f742c565269137970cfe12939d4c7e70e6d1e6f3beb5d84322dc0f87ccef1

SHA512
ef21d3e9c091bc366a767de31b93318c4e6868fe6acc501be9b5625ff3b1e5013448ecae88aeca492eba439506bd5d1d46bfd64ce4ae168023bd1e035bf4e9cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
654230d9c467fccadc263a885f884b35

SHA1
f055e14948723ac2b2c4caa9cf4551d26ea5dc9d

SHA256
9a73438fd00860121ce5c109f9b777b0bd5d66b74e580646e3f46af2ac07a740

SHA512
7ece6d9f1f6cf4292d12d8be17913d691baca630b2e0a1cc8135c0cbc75709cc5bd6926f84f47aaa9bca13d646a2cc82f1d0c5764b425941c2c55ca123294078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
610916cdf847123eb57c7a47da473dbb

SHA1
21e2179f9a7d84ece9233b54ec04790a42ac0106

SHA256
bbd67edef00fcc3a6644ea8f685f0702234aac8310c8c02d24dc4868e95e6114

SHA512
10554e146e2851adc25691f04e20f85031fa7b3e65cf031a7e600bc94ff016545285c244ff77f58cb78deadfa8c3bba2a8c364533c7a4a864a81713dbb1fd4e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
60cdc6222e92c921a36d91bb9af961b3

SHA1
c10c13158d5c6d080b7f3781d462a29f14f00137

SHA256
62113acd302a3bc9747ee0009e9b0357237be0139841d7bda36ff7674f2b7213

SHA512
ab04d84ea3a6fa5e885d803d5c0be0e3bc90664fdd9175949c188a8c23a34243a443e6d4fc51d0d78ba02a99d119c6d043bfbc244bb09e7feadfb80cb36427a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
a128973ca2ca245299ef7e60156b4ef8

SHA1
d39a437204591bbff98d673e6d1c4f869683ebcc

SHA256
5c6e1f3c7213460c24dc670521adbe32ec76df5e3facc0a7b92a3fa9e340b302

SHA512
bbbdbe2fae61c2a27b4aadfbda2efae2675156dcea6edb8b45fbe83f397f8a1f50d694d8bcd1f53939a277722baf102f3f80caffadfcf0ca80d7408d77d8c490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6d1ae46f488b64e540b269dbd384e693

SHA1
91005696e8aadaae2a1cd911f8811e5d4d13a7b9

SHA256
9127ee9e045fa3186d2b4d1586556f01cf0453858a462a55502532a0ca2d5862

SHA512
9a465f9f1c10c0135b957ad73801223194b5abbe054e3b1f1e2c23beec021405756bac6472aa081e3feee813c5b8e664a5f4b2626c05878487c11a38f5fefd22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a8e8f190e8abe2695ac6fa8faf7e504c

SHA1
0829435bf596c95689d3de759fdd4edddd0f7741

SHA256
4fba6be8808ae8ec96847126fcef1cb7c4c6d71c2bd2473ec92f7b85e3c5226b

SHA512
8e471e4ab99c5afa0671fac410fdf4c6f3969ce540319e50085b398bd55520c96a713a1a30c2823a6d04875a77f31c7fb3b511b6bff2021b10b44cbe7a235bd5

Download Submit