hxxps://xinyuetech[.]en[.]alibaba[.]com/index[.]html?spm=a2700[.]shop_co[.]88[.]10[.]3eba7ae4zYThy3

Analysis

max time kernel
5s
max time network
9s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
22/11/2024, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://xinyuetech.en.alibaba.com/index.html?spm=a2700.shop_co.88.10.3eba7ae4zYThy3

Score

10^/10

alibaba discovery phishing

Malware Config

Signatures

Detected alibaba phishing page
phishing alibaba
A potential corporate email address has been identified in the URL: [email protected]
phishing
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2740	msedge.exe
2740	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 1076	3152	msedge.exe	79
PID 3152 wrote to memory of 1076	3152	msedge.exe	79
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 1336	3152	msedge.exe	80
PID 3152 wrote to memory of 2740	3152	msedge.exe	81
PID 3152 wrote to memory of 2740	3152	msedge.exe	81
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82
PID 3152 wrote to memory of 224	3152	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://xinyuetech.en.alibaba.com/index.html?spm=a2700.shop_co.88.10.3eba7ae4zYThy3
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe52043cb8,0x7ffe52043cc8,0x7ffe52043cd8
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,14174848747854950199,9601626621623156070,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,14174848747854950199,9601626621623156070,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,14174848747854950199,9601626621623156070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14174848747854950199,9601626621623156070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14174848747854950199,9601626621623156070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14174848747854950199,9601626621623156070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14174848747854950199,9601626621623156070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,14174848747854950199,9601626621623156070,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,14174848747854950199,9601626621623156070,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:2964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2812

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004F4
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bdf0a0d7-6508-4fa9-9e9c-6151e5169d07.tmp

Filesize
5KB

MD5
3ad29058c85390a819c14a258b97ba25

SHA1
a159d106dbe7ca0b8251525d359bc6af322431c9

SHA256
a567b3c1e56c1d1c02f3e5ee3168d05c43d614bc94a810f310f6d641d18a1eed

SHA512
8b4920217ec1eda9bf7f01c0c2223f2676e024d803834e0c4ec85ee7799443cb5e3dd7ab149dd6ae74259b74abaef5cd0a0e265507579b7056b0d313ea6884a5

Download Submit