hxxp://atoauthys37[.]info

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2023, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://atoauthys37.info

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133222720431598429"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2196	chrome.exe
2196	chrome.exe
1796	chrome.exe
1796	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2196	chrome.exe
2196	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeCreatePagefilePrivilege	2196	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 4012	2196	chrome.exe	86
PID 2196 wrote to memory of 4012	2196	chrome.exe	86
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4116	2196	chrome.exe	87
PID 2196 wrote to memory of 4924	2196	chrome.exe	88
PID 2196 wrote to memory of 4924	2196	chrome.exe	88
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89
PID 2196 wrote to memory of 1348	2196	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://atoauthys37.info
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc29d29758,0x7ffc29d29768,0x7ffc29d29778
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1832,i,12818436148311172517,157266361600462847,131072 /prefetch:2
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1832,i,12818436148311172517,157266361600462847,131072 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1832,i,12818436148311172517,157266361600462847,131072 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1832,i,12818436148311172517,157266361600462847,131072 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1832,i,12818436148311172517,157266361600462847,131072 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1832,i,12818436148311172517,157266361600462847,131072 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1832,i,12818436148311172517,157266361600462847,131072 /prefetch:8
  2⤵
  PID:496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4640 --field-trial-handle=1832,i,12818436148311172517,157266361600462847,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1796

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
6df9b5819866242bd94ada5374f26e6f

SHA1
ac074c3b18c58d5f66aa08729962219755dd72f7

SHA256
0f705d442fc0c7ac8b65d6288683dbb3462f8f07cf25bf7886ea98df6414bd74

SHA512
d8b80423340f607174f398164cd33f13e7578da52468b247d979012a2b4b2b85f9eaf89fbb53b51805d919691ad3e9b174a6720abf3bad9e6fbb7f0d2144f16f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8e839414a9e73872736bd6d49b308e3a

SHA1
d31c057107135ec0fd0d9062a1e6aa6b0c048adb

SHA256
ef5bce945e1a3fe173d10fba17f8cbdfc1d60fde748275831bb054c25dc1513b

SHA512
878da8b08cd086d760ac9b706dd3d842fa33b21312cf9799697df1bba0a20b71781d2d4ad4f20a8bd4c8bd09422f9360a0db2313310afe14203de29bafa780f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
cb7f74b99f2a539fe2a6c1c129574189

SHA1
2c1805e342eedc85efbc5729036ce1edfb0a498b

SHA256
57c8c095c8d7c70e694004ed1cf3dfaefb49fb67d28cab399d80eb1746d530e2

SHA512
998acb0a149da3d4fb9e8d94c3ef18330c2cad11beac4a47a265479a19f73968d5b3f9629bcfe067fb4bec0c56f64a4caed0750843adadd47935a62e9b5c1137

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fdfd275e66aa983a671fb5de7d14949f

SHA1
cd460c02634cf8ef4b73f58723c850c0a30f96d8

SHA256
51cd8301c8cb9d86bb60c5cd0c80e17110aa7560a2a7b3790569fc8095939e07

SHA512
2b22df3f2d151909cd772e3342b3bdb606e6a70a7eb0d0b5e0f3be2eaedf700837ac9e632ff49285d7dc9048f48cbaadff90af88bcddf6fdc9aee836906ff143

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
dbd03b7ab138b3b347e72cea0d4be56a

SHA1
4607e69174f5e5d60a8402124b60c63065fd8fc7

SHA256
405f71028acb9c3a2c4a97694dd5a057a02e021d36357e25fed2fbb71de1d2bc

SHA512
0976eac13ea95019fc7bd1a918a892da65c43fc447212629c1eed728f59bf60e60fff6ddf1d852228cfde956fb0aa1d9686d56a039718f5d65b4d925544528e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
db9d7398d7f298b7964a3066540d936e

SHA1
1a29788c0f4d0b253d72887e981656ddaf54b0a0

SHA256
616c3332f7b6a61fccee6cae9e9aedc580320f0023e782214becb3a9270a1e98

SHA512
c19c3a4768f3d3d0624e9f5b69b4d5c7b2d1986670ad5ebfee17497d8656ef74e29f16cf8546587b3f023c58aca31d69e57b91390c8b9628e05d375199d3473c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
142KB

MD5
5c0e8cc96010e47299eb7be4ed3e24d3

SHA1
4c128d0189e7270afe2d5b575a6648b11ae68903

SHA256
4a66343dc4536ba5ddc692876dafcb255d77e34ddee76d8ce1bd694f5ff62116

SHA512
ff751ec80f2f84746b6baaf7a5b2776b0f2b2bf6cf76c416e901a73e8185795c410d2e220a9e68f61e44462a7379ece746a779e61747f492ce495e4028914c9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/1796-210-0x00000295D1510000-0x00000295D1511000-memory.dmp

Filesize
4KB

Download
memory/1796-211-0x00000295D1510000-0x00000295D1511000-memory.dmp

Filesize
4KB

Download
memory/1796-212-0x00000295D1510000-0x00000295D1511000-memory.dmp

Filesize
4KB

Download
memory/1796-217-0x00000295D1510000-0x00000295D1511000-memory.dmp

Filesize
4KB

Download
memory/1796-216-0x00000295D1510000-0x00000295D1511000-memory.dmp

Filesize
4KB

Download
memory/1796-220-0x00000295D1510000-0x00000295D1511000-memory.dmp

Filesize
4KB

Download
memory/1796-221-0x00000295D1510000-0x00000295D1511000-memory.dmp

Filesize
4KB

Download
memory/1796-219-0x00000295D1510000-0x00000295D1511000-memory.dmp

Filesize
4KB

Download
memory/1796-218-0x00000295D1510000-0x00000295D1511000-memory.dmp

Filesize
4KB

Download
memory/1796-222-0x00000295D1510000-0x00000295D1511000-memory.dmp

Filesize
4KB

Download
memory/4116-136-0x00007FFC471C0000-0x00007FFC471C1000-memory.dmp

Filesize
4KB

Download