977ce36a053ed9f0a1bbf031f81629e1c7c8bc864e8255e25ca15a7eb625930a

Analysis

max time kernel
66s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2023 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

craxs/ChangeLog.html
Size

1KB
MD5

e13a142fd65ba98dcd14acab49b75f5c
SHA1

5259cc36a8473edab4b5328dd45ba2c0579185cc
SHA256

adedda589be1f4181787e5f3453ca48f74f950ba7628099ba217d89fd9eb7f73
SHA512

10dfc63549eb15d2bd787f83e5da43a9a2eb34fd9fbc22d10b1015eb0869c3e323db1d49c7338a567105fea9139a04294a51a9f44e2562b703c5c10e07685004

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133231940689168769"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4356 chrome.exe
4356 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4356 chrome.exe
4356 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe
Token: SeShutdownPrivilege	4356	chrome.exe
Token: SeCreatePagefilePrivilege	4356	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4356 wrote to memory of 4464	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 4464	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 3284	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 940	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 940	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe
PID 4356 wrote to memory of 2124	4356	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\craxs\ChangeLog.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe05879758,0x7ffe05879768,0x7ffe05879778
2⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1816,i,14073945383899676866,14255726226688190317,131072 /prefetch:2
2⤵
PID:3284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1816,i,14073945383899676866,14255726226688190317,131072 /prefetch:8
2⤵
PID:940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1816,i,14073945383899676866,14255726226688190317,131072 /prefetch:8
2⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1816,i,14073945383899676866,14255726226688190317,131072 /prefetch:1
2⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1816,i,14073945383899676866,14255726226688190317,131072 /prefetch:1
2⤵
PID:3744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1816,i,14073945383899676866,14255726226688190317,131072 /prefetch:8
2⤵
PID:4260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1816,i,14073945383899676866,14255726226688190317,131072 /prefetch:8
2⤵
PID:344

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
755c559e6c79a049e03277fd7cebb04f

SHA1
0017c9e2790072894cfd23e67276ca60abcf2a95

SHA256
db57f3a53208fcee7f9fa325c010529dd11b0a0c97e507d390977e01366ba77a

SHA512
d57c1eccc58081513cb1e1bc200adada0126bb9ce59bd43718cc86f144e5c6cc65e42c771d91e4d2e024454595018977af4f9d8719130dd5dfd2ebf2ef22661b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
75dc06b4ed68e663ca9bd6829a637f14

SHA1
70f5cd988565899577c4cdaedee9356b8a697e5e

SHA256
e43868728b8b6230dd22cb5bc494f156948af88d9f019912f8f5e62209cf1b93

SHA512
8d0f05f4abc03bb368fc21390858724506648e7b09ba4b0415cbc2159aeebc4226bea30dbe04cc3ca65d5ad9bb0e6c90379f67c0c2aa21e16546ecd1f185b2e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
53b942e82216383581c953d9c92ca6e7

SHA1
03e95101e92498f5fba0153579191adab8ac536a

SHA256
1d69fdf83d0baa005393a3868168e9bd1a19f70da3f969c62d09103b46217e4b

SHA512
381b33b00509bf7428e11aa915f4afadf44e78baa63a469a14a74d764e7e30eaa7cfde1830dc911f24e21ba033c9611a21c05b1bbc067389df48e28a5b4ea0fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_4356_OUSCFFYQOWQKNTNY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit