Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 15:12
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://live.ialbatros.com/HotelBookingConfirmation/confirm?reservationNumber=DH6H74FN&systellCaseId=8c4fbc1e-a616-44ce-a525-580d045a4e02&language=eng
Resource
win10v2004-20240611-en
General
-
Target
https://live.ialbatros.com/HotelBookingConfirmation/confirm?reservationNumber=DH6H74FN&systellCaseId=8c4fbc1e-a616-44ce-a525-580d045a4e02&language=eng
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4376 msedge.exe 4376 msedge.exe 2440 msedge.exe 2440 msedge.exe 3156 identity_helper.exe 3156 identity_helper.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe 4544 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2912 2440 msedge.exe 81 PID 2440 wrote to memory of 2912 2440 msedge.exe 81 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 864 2440 msedge.exe 82 PID 2440 wrote to memory of 4376 2440 msedge.exe 83 PID 2440 wrote to memory of 4376 2440 msedge.exe 83 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84 PID 2440 wrote to memory of 1052 2440 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://live.ialbatros.com/HotelBookingConfirmation/confirm?reservationNumber=DH6H74FN&systellCaseId=8c4fbc1e-a616-44ce-a525-580d045a4e02&language=eng1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9acdc46f8,0x7ff9acdc4708,0x7ff9acdc47182⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,14503398807668072714,13913258453224298489,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:22⤵PID:864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,14503398807668072714,13913258453224298489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,14503398807668072714,13913258453224298489,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:82⤵PID:1052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14503398807668072714,13913258453224298489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:4240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14503398807668072714,13913258453224298489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14503398807668072714,13913258453224298489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:12⤵PID:4140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14503398807668072714,13913258453224298489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:12⤵PID:4532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,14503398807668072714,13913258453224298489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,14503398807668072714,13913258453224298489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14503398807668072714,13913258453224298489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:12⤵PID:1264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,14503398807668072714,13913258453224298489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,14503398807668072714,13913258453224298489,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4544
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2932
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:8
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5477462b6ad8eaaf8d38f5e3a4daf17b0
SHA186174e670c44767c08a39cc2a53c09c318326201
SHA256e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d
SHA512a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e
-
Filesize
152B
MD5b704c9ca0493bd4548ac9c69dc4a4f27
SHA1a3e5e54e630dabe55ca18a798d9f5681e0620ba7
SHA2562ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411
SHA51269c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32
-
Filesize
186B
MD50dcc3f37814debca93de3ec934b05816
SHA100dc57ac2363df419400ce3fffbc70ce5a70ac9d
SHA256c6d1f9b0d4ccad308371de4aeed24d413f1a98d5cebebb9dfc69ce7059044b76
SHA5129b0d345ebad2f759a5d4af9f9473435289fbc8087bf49aa1be418e82f84aa3ac370d496024a946e3acd7dd95230e44f2a8f94b4703badd3ff0a097331473a8bb
-
Filesize
6KB
MD5ecac2ae2a33700a234d0dbf6bac4ad3a
SHA122d37886377061e65b6207c4cb7e492bd872a05d
SHA2568ed013d9b0e995b4776f8ef0bac73981f101a3e0ea683d94a83bab17887b7284
SHA512b6126cc3a02d75d92978b3019c67a7384e880cb33cc5eee568ad91c3b965ba0736f335c48ff254f12362be653ee775f39336343ecb87f00a86141ad5e36d9643
-
Filesize
6KB
MD5d5f1b9c408622584d64d67a9425e87fb
SHA11c8336ff3a0312f70928685fc26ecc8dc7af220b
SHA25614903f3ea7892a697036d6aa165328769f18996ff5e19fdcde19883ad9aa47b4
SHA512faf48c03cf88be3ec156f345291ad84e2311706fe59a7470c8471691979fd12c2656906570a172e144446e119792789c37c9f1833e5d944abfb4a0ab1996a04f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD592b2c0e46b5bc6a8f1a1eb543628b183
SHA1969ded4707efe488234aad090d4085817412b817
SHA256e302b97417a6f359b9d144ae56cb93dccae607d009f0e95e6a3084c6f0502dae
SHA51262cae2adcc82feb0b9ca27d1a043949bb94efbbb5651a75da1caa1cb1bd0029f98131ee8494abe4a0ae9c9b982944adad2b0f04f045ae4a417247ab77c35ce32