hxxps://t[.]ly/Al1dD

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://t.ly/Al1dD

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4596	identity_helper.exe
4596	identity_helper.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 3644	4776	msedge.exe	85
PID 4776 wrote to memory of 3644	4776	msedge.exe	85
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 4880	4776	msedge.exe	87
PID 4776 wrote to memory of 2848	4776	msedge.exe	86
PID 4776 wrote to memory of 2848	4776	msedge.exe	86
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88
PID 4776 wrote to memory of 232	4776	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.ly/Al1dD
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda0bc46f8,0x7ffda0bc4708,0x7ffda0bc4718
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,9734594947293193571,5141935656589255185,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,9734594947293193571,5141935656589255185,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,9734594947293193571,5141935656589255185,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,9734594947293193571,5141935656589255185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,9734594947293193571,5141935656589255185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,9734594947293193571,5141935656589255185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,9734594947293193571,5141935656589255185,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,9734594947293193571,5141935656589255185,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,9734594947293193571,5141935656589255185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,9734594947293193571,5141935656589255185,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,9734594947293193571,5141935656589255185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,9734594947293193571,5141935656589255185,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,9734594947293193571,5141935656589255185,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5872 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e77545b7e1c504b2f5ce7c5cc2ce1fe

SHA1
d81a6af13cf31fa410b85471e4509124ebeaff7e

SHA256
cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11

SHA512
cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
e8d9a9e916e3adf516dae61a9bae970c

SHA1
31a061c2f86962bc753cebf9a01a9c83fbb04b45

SHA256
68fd6d8bbd106a388136b79d7220bcac848590cac3b7842eceb149441fb1e0eb

SHA512
1edf0f203bbd145c6a4660cfe3fbb718d4fe23b54e9ea0441a25b882b9a029a8115157fbd417d231a8b3f4f758535550f4e6b76929b3d113889b26c59c9f0678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
531B

MD5
d1c1bbd4b61a1540dfc064a648c8396a

SHA1
fa289ccbd039f657690c72101ec4c4742d4474c6

SHA256
3a87a60f5c083394679704d48939ae093017d5fcebb02ecd2a4a6288807369ba

SHA512
14eb40be5ce77363082b14a53c67b926167c5035f73a1f2d15b0fb2ea784b56fcae2c9dff3123d28533c6f0385e030e0ef04b8eaf318011302610086a160de20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2eb0fbe0e3b57527f7c97166a9dcfd6a

SHA1
7a2dc6d177f09b976aa5253f825fba84a9d7ed95

SHA256
041d08d98a8d46ea1657d890e09c40c7cfa2d743f328cbc12f98fdf1c1acd7a6

SHA512
0663d7ab4aaf20bce177d22daf311b324e359de53290e51491d07bcae83fe6c8d4b38c9846100d6a94a010ebf7fac223ae8c6cb952af19fc1a6c929333287391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bbc00dd1e14c4472c2bb6d14eed34aec

SHA1
c6e8feda163a78753e2dc404cbdb2153efb07518

SHA256
af26f68c07407d295ec7c2da4d9d315b56c6f95ee7da7321d4b852ac06080a6b

SHA512
07ed18aab5a37f54fb3b38b0ba65fc3e974ee7bbbd33124a6bda28bee89c0a8cb3227326889f4411b57e95983937ecb6b238d875298ab03b61cf6cbe6184630b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6db2d2ceb22a030bd1caa72b32cfbf98

SHA1
fe50f35e60f88624a28b93b8a76be1377957618b

SHA256
7b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4

SHA512
d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
28612a514795b54cb565fb7726012332

SHA1
b336b29d887bf6f6e5aa12c017b01f771bebcb1f

SHA256
7f6541cb4d34e06cdcbf844b1f8840e6f712a7e151f66e22b7763506aa3da25b

SHA512
891079e92400778c7f0f40f06958ca9c2ba5587eca60b610a378a5759c21087cd126425c56ecc670796ca43e26b597abcc4af81b70a73ca14a0338d4b9a57a62

Download Submit