hxxps://aka[.]ms/AAb9ysg

Analysis

max time kernel
38s
max time network
27s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
26-11-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://aka.ms/AAb9ysg

Score

5^/10

microsoft discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133771309993990910"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1676	2424	chrome.exe	79
PID 2424 wrote to memory of 1676	2424	chrome.exe	79
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 584	2424	chrome.exe	80
PID 2424 wrote to memory of 4924	2424	chrome.exe	81
PID 2424 wrote to memory of 4924	2424	chrome.exe	81
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82
PID 2424 wrote to memory of 4936	2424	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://aka.ms/AAb9ysg
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab87bcc40,0x7ffab87bcc4c,0x7ffab87bcc58
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1796,i,17079092102952849722,11735025583726722660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1784 /prefetch:2
  2⤵
  PID:584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,17079092102952849722,11735025583726722660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,17079092102952849722,11735025583726722660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2268 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,17079092102952849722,11735025583726722660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,17079092102952849722,11735025583726722660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3080,i,17079092102952849722,11735025583726722660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3368,i,17079092102952849722,11735025583726722660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4812,i,17079092102952849722,11735025583726722660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4960,i,17079092102952849722,11735025583726722660,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:4456

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
16c8078db74abe4beb9068735b475b8b

SHA1
d0555203dcde176bc8173ca2c296ff7945eb2858

SHA256
37773e6db2558537a917220756425bb25c43a0870a17fbb7f25b37ad58176047

SHA512
dff917a9ca5f78741cee2314326d0d77399c9f92983ad0b29024de7a582a6580c07792262cc2f0494346df7b2d2b21cd439901d8d6ce0fcfbb5edeb3301e4fdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
22KB

MD5
c654a623ad90bb3dcd769dbbac34d863

SHA1
8719de38f17d8e4d73e2a5e4e867d63dd3965baa

SHA256
deec787cca1b9436e080478742a0299e0db1a9712543a72d2cdc8373fc45a432

SHA512
b7440cec44b71bcdbefcd878a860ee3cc0163dc0905dc688ebcbcd7c6f5cfdfc187ea0c2b6247a362ad462450c34020933df7825cf6ceaeb3138d65eb944abad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
2d52ef0a9b80dc0bddf3d2796f27b49b

SHA1
30922c308da19249f25a1aadc2b2c22beaf9a574

SHA256
9182bdb4015c241a490de883fb1d90a77197520118d2c4f502447bf9b588c9fb

SHA512
0a9422b6b70a46d3a024dfe303c6bab3392d384b6871e47a8af9a445efe7c4d2a36953d74e3767f0b06fb55edde7a0b4315fcf6243821708bc024c33e23c2dbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
3b38e5d4a4c9e95344f96211be9f92f4

SHA1
dce1049e6edf2b9e6ec3db37f7601b0ca75f4d7e

SHA256
934ef387779867f22812348a669276512d00e2e2f8a9655ebace857a9f3a8b52

SHA512
90ff3ff67472ab1edc205180fa36108ab9073762e9ff9883511eeff9d5200a433eb2f68073d48ed083bfbed938bbb38fba66cd87f8fa6a36637bcbaa3a226302

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
358a0933d52955737e42f28a1546e5c4

SHA1
592d06fd5117e7b1e225542fa0adde8ef207426c

SHA256
b1a9d661f2a7348cb5631394b25e07cf9df7460c653c16e037dbc111053f7572

SHA512
35d9700e7c5739951b5fe8d46eaf8477d39ee81594474b66bfaa985a87cdc45257b531014f43cfbee0131859f107b263bc2b4cdebce7dcc9d41a7ecf1226aaf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a6c5aa9eaabc4b4942d8de9f6b41923

SHA1
fc33987a1ebe374314c9d87c37859d0d1fa6327d

SHA256
9fafa31e2d78b2f7d60ba10baa5eb32ae16f6e96391138953a3e0ed0f8c97efa

SHA512
2f5530673f49eedd3519d5e5d7c82d519f87f684415fbc67cfa7c3ab5472a4444ab4e6a79c0b418faa3dcf8b1303bd80589782dc5a9460938b8adef9c709658f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
cead959802481468549fb6dc62d37fd7

SHA1
2e8784c63305eb4baa05187f6ac3fa8bbec10a4c

SHA256
ef62b50186eeae7a635e77a42df126d08cf9d53653123ceffc1e277b0b19321c

SHA512
b2927f15ed01382cd73d43833a123e6110d8a273a6324e1646c6b48aa1e1c29585d460f1effde3e712c2578ebc26472b5a496afac79be8ed4c677a0a6c07a4c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
6023c37d3d19ba13484c00297d716d20

SHA1
e4a061a2a1046beedb9e68bf167914d4eca55db2

SHA256
45ed8e88e2e45147bba6a18a6b6dca401b0e9158e94cbfb3ff4a8ad48220b5f9

SHA512
aec76a9041cb443dd92764c51b51ad48aacc2070d419b96df37de4cc75dfb552ae6c4891d8a20d6862e4c367ab2e0ea8c3e0b1391ce70d461c4e30dadd15f11f

Download Submit