b7f8e44e99bf3ed9226f820166a0744374ead150bf90636a536f649945e2c663

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Alexa互刷平台/Bottom.html
Size

2KB
MD5

33d45928f8e929d38f23bd4be668c904
SHA1

846bbd59ff422e6b73ca0063b09ca577814d2199
SHA256

93fdc69ef883ae86a2bcdc2c3a89312bb2bf278013c7e36eafac5076af531ce3
SHA512

dcadbe5cc4f1ef6037b3b0efb7647ae05d2e0b1b2e9433fe7d0e3151c95250c3ef8c304f0fb7649aa41e4b5e5b0a9ff8de0fdf9871ea397fcd8c0330336b8f2d

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
320	msedge.exe
320	msedge.exe
628	msedge.exe
628	msedge.exe
2656	msedge.exe
2656	msedge.exe
2656	msedge.exe
2656	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 3668	628	msedge.exe	83
PID 628 wrote to memory of 3668	628	msedge.exe	83
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 4704	628	msedge.exe	84
PID 628 wrote to memory of 320	628	msedge.exe	85
PID 628 wrote to memory of 320	628	msedge.exe	85
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86
PID 628 wrote to memory of 2800	628	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Alexa互刷平台\Bottom.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb224b46f8,0x7ffb224b4708,0x7ffb224b4718
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1490523076596285943,2524411644114802312,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1490523076596285943,2524411644114802312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1490523076596285943,2524411644114802312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1490523076596285943,2524411644114802312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1490523076596285943,2524411644114802312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1490523076596285943,2524411644114802312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1490523076596285943,2524411644114802312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1490523076596285943,2524411644114802312,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6016 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
506e03d65052f54028056da258af8ae6

SHA1
c960e67d09834d528e12e062302a97c26e317d0e

SHA256
b26d2695dfe8aed4d0d67d11b46d4542c3c9c8964533404dfe32ce7a3e6cfb98

SHA512
15da55267433c41febebbe48983023293c6d436f89a56138cef1cea7deb5cdd7d4bcf58af12835e1152a8ec59e08cfc965e521eb54eed47fe44e1f4c2d1557a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a15dea0d79ea8ba114ad8141d7d10563

SHA1
9b730b2d809d4adef7e8b68660a05ac95b5b8478

SHA256
0c4dd77399040b8c38d41b77137861002ef209c79b486f7bbdb57b5834cd8dbf

SHA512
810fc1fb12bceae4ca3fad2a277682c2c56f0af91a329048adbeb433715b1f707927274e3e4a4479222f578e8218663533440c71b22c49735a290f907cc0af1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
424104ea792151c93272db062fc2cecd

SHA1
e1fc5fd517771bafb0e5d3db47ccd0847e2b8453

SHA256
6ccb9bff306bab1ac33772ef21ff1d6e82f321d154eb30b7f52b28f30b3361d7

SHA512
35e831fa68ae1c17a68a429df61420f2b3b7067d6dab2d680ff5af7f51edb247c970377ed0714ac43e5e68d9a65342bee873ad93106526276e6352071f662e1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
480B

MD5
f2d8b37025f384bff78110c92191d6f9

SHA1
7e6a68bbc504145c649460e4159440303c0699ea

SHA256
c85aaa6d1becc99bd32f4ed3e126d53cbcca072d0e056a021543ffce6667a8a6

SHA512
e30473feaa795c481e6b74c42863f1acc597c746298d960144bafcc99c0f04d63f41e00f9b78d8f26d37c201bdd8de64f9a3b9b4c55e8bd3257b4a93fd416683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e2da1320053993b7f6d96f29ead93823

SHA1
dec68a9ba5ec4797c53a7a6f6057421d10e19e4f

SHA256
beefd9d5782bcce5ea45a3f16889fd16f88b868913ec0c526f46e0f7fbc0db48

SHA512
cde4b704811256c68d3bbfea817063ae892521daf8b87aa16eb9e3c10cf64a41411ee4ff37fa9ea738038d75fca94e7f72067baf786afe7b8559ea9ee76ff47a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ae1baba274c90eb0f9d1bf6ad2df8b9d

SHA1
95329858ca28aff8621165df435b9904e368d5db

SHA256
f17614a14bcfd7928fa530ce2d11ec7760a61938665d71232e506578bd2c8b91

SHA512
3e3dd89184de8f7d14491b8ccafcf2ce0ca9d12137ce87ae2ad5df69c33abe0ba8c07eee3136921a79d843bd550c54735a58a93d75724850baa5182bb1e29309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
708B

MD5
3bba5ddab10a1482c815553454df7806

SHA1
fae0516413a1822068dbe789df99dac228fc74f4

SHA256
9fedc57fe53d3fc5ca90b39ff21ae760c37937bdbba4051ff0c82d4afa2093a8

SHA512
6f658bf4b24ae29b56f2c67d67e10b1545c06a88a82e90d3ed11b1c17d35245720082c7c30430124608b47be5ab8fb4f91e558da97916c360f814615a01ed335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582863.TMP

Filesize
204B

MD5
c7a91e502b9fd6b6fbcafe4d3eb15da9

SHA1
e3dbb37cfd17253700f60e2c4a20a4fecdceb32f

SHA256
9731ae3f0f68326e65ec11b27206162f5614f54bacc6c43839e04a539c2d4867

SHA512
2382a08548a7e7327ece81d94b0df7f30497c5c66b7cc900008355f3764add17a40ba4d6b34ad3cf7cfe32f1e9bea3e891cf45d47ea85718420c8e239a05a5b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fa140856e4163e3dcbfcac375efcbc5a

SHA1
f6d08f531ce5a84baeda8c1260cb1adee2c17fc3

SHA256
a307e52bb308f86bc55bed7ab60c01352e93544709c544a1d05816828cc3ff4d

SHA512
6ed1aa271b9a4de3b5f9d2c8b2bbb25c985392a5c1c2681a827be07fc85c57bcd1fc699fd3e84b1fd111e3c6bf1fa06b652a096b4128fc45445dd8c681f17358

Download Submit