hxxps://aka[.]ms/AAb9ysg

Analysis

max time kernel
230s
max time network
248s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 20:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://aka.ms/AAb9ysg

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4896	msedge.exe
4896	msedge.exe
3724	msedge.exe
3724	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 3756	3724	msedge.exe	86
PID 3724 wrote to memory of 3756	3724	msedge.exe	86
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 2200	3724	msedge.exe	89
PID 3724 wrote to memory of 4896	3724	msedge.exe	88
PID 3724 wrote to memory of 4896	3724	msedge.exe	88
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90
PID 3724 wrote to memory of 4120	3724	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/AAb9ysg
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa413546f8,0x7ffa41354708,0x7ffa41354718
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1784,3575574097276895910,7186682783482182044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1784,3575574097276895910,7186682783482182044,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1784,3575574097276895910,7186682783482182044,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,3575574097276895910,7186682783482182044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,3575574097276895910,7186682783482182044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,3575574097276895910,7186682783482182044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1696 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,3575574097276895910,7186682783482182044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1784,3575574097276895910,7186682783482182044,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5328 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,3575574097276895910,7186682783482182044,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,3575574097276895910,7186682783482182044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:5080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
106ac68913be064fa754a20b1b68f4a2

SHA1
f6aea17d0787b77550585d7188afbd7ff7542888

SHA256
e7fe9133f7bfe969cf6a24e1d1a422c79c7fce9e54797e03fd9cd7af83aa45a7

SHA512
48058ce16142720af40a58af4846dcc3351587e4252ec7dd60692696681761147c26d52a5de9a73df1121fbaaf7a6a616afcaeca94bed6b1433ed0400de492d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38759ea8fa91fb7e73e30cc255afc7f6

SHA1
157de5dab1570985124930b61a62f07ec3caf74a

SHA256
8578ca6fd89c9adae967ec5a7b62e8d069a0ea538f6f752cd00021f141c1d845

SHA512
66691b537cc29929cb57163f8f07a0ed335382f55da0d10e20d2d743d4b8156e2ba760e64748a5aa38d54ce933b38325d6d5879cbfefe900775f8aef284234c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3a17cf30186a60003b032d5387764e99

SHA1
bf89a3030829668841a488fdcbfd5aca1230fa55

SHA256
6a6ddffa5781594bdfe87061448aa8c26ecd0865abf7870548b7d8d28d14187a

SHA512
1a266a44011a37344a246cb553592c2ca6cb90ebb177e3235bbaf4ddb6bee40719e07df9ec7c8ab83bfff53cc028415f3b2d01ed116842da28a083fb7e4040be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
af7340a4859738839ef21148f2bfc00f

SHA1
039c7b583937164158bffd7dbba26956a0d3625d

SHA256
48be11ff53eef0d03a5326a142c9eae0dfeace44f1c099f473bc4d0d543dc8f9

SHA512
e852e0339ae59f184e1140c155a66a671acada1849ad263685db1b4fd1f2e10d59723e2337be249ced6486d76c97191067c797e7037f504d2463676793b6f358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
369B

MD5
c209335faad23aa8456a189162bb7914

SHA1
82236ee598c63f10c7100313bd1fd40faddaffe7

SHA256
6a8c84c4751e91eacd948f059d9029b86e5dab151746632cbe2ed63274d37a66

SHA512
fc9660e71737ea60a50e64ab9a8ec3979d40922a783a392251d3f15940fc7e6aaddfa1c79513bc4a580124a089ecaa1a33f79f84a51ea05140f01cdba0084ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a827f.TMP

Filesize
203B

MD5
d00ab633a1e0132f063804c99b888824

SHA1
4ec910acb49dc3f281fb180f2cf9e3d68d5c0b6c

SHA256
460494d0954eeae083dc79afec390240c1eb37943c553bd295c75f2694be3498

SHA512
f147646cced12a5e17e44f63eaee7cf22a8903c6d6818cc64b51cfc21e77549deb47c70b3fe7ef700044c0065c45e8ff3dfb69f20a5a746f833cd98f4deccefa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b05f448d-4d25-4974-9967-c89127709aa6.tmp

Filesize
24KB

MD5
6dcb90ba1ba8e06c1d4f27ec78f6911a

SHA1
71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9

SHA256
30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416

SHA512
dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
c27997f7da4a72dc461e7ed9719a0c3a

SHA1
defc7d98652deba41e3310f6e57595ce2a03d79c

SHA256
1fc9718f6e6ca0c104adf25ee070197f2ecd5b8fb4a976584733f3efe1ef1951

SHA512
94c0e402a6403edfeb2d26a413d12dc591024e63398dc58889ca4f59d31a264e7a8d32f829da46f0069764b2c666ef8ce5ced550dc214c81acabc2477fd6255d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
6957eb605fafd589e7acdaf68adfd6fa

SHA1
0169481e49166c211e0f5ae936e6c1451a6e0a87

SHA256
07a4b75f3891a0060fd19c1ff1db4809bc3d3478747997dc300dfc1e4ccad13a

SHA512
cd637a8db462fe2be16ec66c192cd7219a4445b0e662b562bd7ae4fce97594d20aa2e58f65c0c252e256f18d6032cf88ac9ebfc40ef1f5c45439aa5a10bdae9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4f968f6da1c80d804d97b9f5f8471a74

SHA1
b72590ae8856ef31b0fc78119e43e34998594ac8

SHA256
a762094fc17eac38db5bc0a0e25edf7648d29cc64a0823a35e9d11c725d4639a

SHA512
66dda98aea54c80ffaaf19836ecd9793920e9681cf40b5719c044c355413515f0daa044e6d12d88b20544a13875b36a627cb309b1546f6bd9f62134b4daf3f39

Download Submit