hxxps://kys[.]lol/m

Analysis

max time kernel
81s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://kys.lol/m

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3136	msedge.exe
3136	msedge.exe
1988	msedge.exe
1988	msedge.exe
1600	identity_helper.exe
1600	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe
1988	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1168	1988	msedge.exe	82
PID 1988 wrote to memory of 1168	1988	msedge.exe	82
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 4844	1988	msedge.exe	83
PID 1988 wrote to memory of 3136	1988	msedge.exe	84
PID 1988 wrote to memory of 3136	1988	msedge.exe	84
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85
PID 1988 wrote to memory of 5088	1988	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://kys.lol/m
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd439a46f8,0x7ffd439a4708,0x7ffd439a4718
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,10540142688824151029,3358611339984675028,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,10540142688824151029,3358611339984675028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,10540142688824151029,3358611339984675028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10540142688824151029,3358611339984675028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10540142688824151029,3358611339984675028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10540142688824151029,3358611339984675028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,10540142688824151029,3358611339984675028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,10540142688824151029,3358611339984675028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10540142688824151029,3358611339984675028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10540142688824151029,3358611339984675028,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10540142688824151029,3358611339984675028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10540142688824151029,3358611339984675028,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10540142688824151029,3358611339984675028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:5936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
199KB

MD5
585ac11a4e8628c13c32de68f89f98d6

SHA1
bcea01f9deb8d6711088cb5c344ebd57997839db

SHA256
d692f27c385520c3b4078c35d78cdf154c424d09421dece6de73708659c7e2a6

SHA512
76d2ed3f41df567fe4d04060d9871684244764fc59b81cd574a521bb013a6d61955a6aedf390a1701e3bfc24f82d92fd062ca9e461086f762a3087c142211c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
2789685d35617616e81d51763cd48e9a

SHA1
70a51f0da5ad53af0c13c17c4dd73b826a2efb9c

SHA256
b0d0ca92a090efc8f5d7aece89e340b3cc35a1f1bfb2fbd5664686a578982394

SHA512
9778cc1866ddfe9d6578148ea18f8e611dfcaf343a98854f1d29e645609f7598b15cb5f6413c804f4a2dea57d15bed267cb92917eccbeb74682431e6e8809c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
463da06215d7cddf8a9b63f73850113d

SHA1
2d55221d920588c5f6dbaf287fd314670fe1592c

SHA256
5bb9a41f8f5cdd2e2e5b8b676ef1deaa1c290d5b3aad88f9cfa15956495c318e

SHA512
92ad48f35955a9a8238cac6873c3ee6504c1c4db0f2f61b135ffc35d94012abbaa3df201ac5b2cf6cfdc3e40df50409e9a0a16f54d92ce29229bd5c5121b401a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
af6a6f74e547db93670ca02a73dbe70b

SHA1
4c06bc0c6663bcab87640f2c38e635da0c3b03d7

SHA256
1331c4cbfd7aacdfa3ae59e9bcf2b06b38e18fbe842816b8bfd1ccf30bbccbc5

SHA512
dcfad0c304d1f9bd68a7ef76fd08954a5d5166550048c19b878da62253c8bd127d6ed0ea6cece150ee9fcfbf2f62619b86247980bdfb7fd903155718c242e7ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dd19d9f85bad95a9e39b7617c023a795

SHA1
0f6a6f8cb17801861bb754c16924d3a02f953db1

SHA256
9e16f61e61f24dd44c6dbf688b118e4a8adbb2cb65e0216b4735021d36d25bd0

SHA512
0b87dae6e767a7aa6f9646628bec008c70836c00dfa35311315731f66c34d5d88203729eb56bcdd59a2b84cc848ac30c06ffdc7c7bccb4e1f60db6609b988cb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
19acf29bdf2b7a2c99160a18f8dee74e

SHA1
896e26198c825f9dfd668ccd98529b66a2d28d3f

SHA256
aba01c8bfdb185d8c91305124e7cd7c9b3c2ad40bf55a956f1cde500f093e05d

SHA512
df6bbd0825a62691c5b7c0c322957d6f62a05d5735cdc6c642768301c128e6a794ef37bef08aa379cd4cfbd3047892b37da6ba44a78f32c1410dcd4de8d8b4e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9ddcadb61a9a4fc8d2f7410c8c4dacf1

SHA1
b5b82c58f1726c78d9987f7c6eeed57d32398244

SHA256
bbb88c1869621416866454509de8d201ee4c40e2b63771b4705def2c2f15b33d

SHA512
6e1cc7577dedf8961a2fdff5bd77cf815020c8957912dae2fd1f58fb70d15262ec0f9caa85de893538aca3756adf9406f7dafc0cc4e8ee1f214e31987f1feec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
40a5696ea67f43e77f6ef65eec242ce5

SHA1
b53bab45d6733941e78dce0d9f38d43bff7276bf

SHA256
0d877bd8c26276f9cbf752927bb71be167c5aaa0b177578d6ae99e9cb8228e8f

SHA512
753424b9546280dc7534160863a7660866d82490e9cb53f167506b4c6d969055a9161c57a54c741ddbaca243dbba3ec0948c44befded9b7137cf2fa992ef1ce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
896bbd382106b3749605be5bca7ca3c6

SHA1
12e417a9f0433329edb5e4c1ae0ce3675b2d5a93

SHA256
a4c8e21d222448b86806bc527500ef0ce305ddfc94417ee5458ba11403797753

SHA512
a6ab31314e53143eb252c2103a0441c5e0e374591aa95d97445fb20a97129e03e8090d0a532d2b19d0a9ed7c2b74910091845c221507210aa535362f28c6421e

Download Submit