hxxps://www[.]quest[.]com/community/rapid-recovery/f/forum/26886/using-invoke-restmethod-from-a-remote-machine

Analysis

max time kernel
149s
max time network
146s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
13/03/2023, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.quest.com/community/rapid-recovery/f/forum/26886/using-invoke-restmethod-from-a-remote-machine

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133232177496738368"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2128	chrome.exe
2128	chrome.exe
3476	chrome.exe
3476	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2128	chrome.exe
2128	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe
Token: SeShutdownPrivilege	2128	chrome.exe
Token: SeCreatePagefilePrivilege	2128	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe
2128	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2196	2128	chrome.exe	66
PID 2128 wrote to memory of 2196	2128	chrome.exe	66
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4220	2128	chrome.exe	69
PID 2128 wrote to memory of 4212	2128	chrome.exe	68
PID 2128 wrote to memory of 4212	2128	chrome.exe	68
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70
PID 2128 wrote to memory of 2784	2128	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.quest.com/community/rapid-recovery/f/forum/26886/using-invoke-restmethod-from-a-remote-machine
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe49e89758,0x7ffe49e89768,0x7ffe49e89778
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1864 --field-trial-handle=1784,i,3358292828955908537,10830813096083512351,131072 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1784,i,3358292828955908537,10830813096083512351,131072 /prefetch:2
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 --field-trial-handle=1784,i,3358292828955908537,10830813096083512351,131072 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1784,i,3358292828955908537,10830813096083512351,131072 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1784,i,3358292828955908537,10830813096083512351,131072 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1784,i,3358292828955908537,10830813096083512351,131072 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1784,i,3358292828955908537,10830813096083512351,131072 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4700 --field-trial-handle=1784,i,3358292828955908537,10830813096083512351,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3476

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b4423b361ae81d25928732c988b77672

SHA1
0e36c707a882ca970bc477bc0b9f0aedc41e56c9

SHA256
3931e7ee8d2b45f3783cc377e3a9ee4a34461c4fa1951511c459c081ec084704

SHA512
275a809f437b7ec0883b4c95f1103432e36d3807d0eb8d44ed4c95ff3a77f07a291d266a83a3227e575f198be5e2a05041adb6180364c58cfcdcd61bee6d11e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a894553dab3645ff0cebab5a9eb41226

SHA1
054fe1d97a16f452580e6f0f5a68a3892c973318

SHA256
b9db053c50ddd10e96163a94f9c10c0aaf9277aa58c7621776eda15fa0fd6368

SHA512
f8ecccf63acec9e46ebb18f83ba795d89d90b4e5f3407a9a1f6b4e60cb63cafd9193d99457980a68eb9e8e00fd585cc48556f276d12ad2eceb548b41fb9ab8b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1a3746546e379c7be49fc8a7e1ba5fa1

SHA1
0d74569837dd8cb18a0487efd7eac38c39d6c995

SHA256
ff9da2d11292030b1bfe81689378e5d23e02dc6ef7525e17a3569a1413df6137

SHA512
0b75e2285041d7af799371191e1f333b12fb6150f28885c2970217ac7e38938cd50afdd65c73c1e2caacf2e6a85d791566b0f877ed7c92f451d19a21e174ca5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
efa024a874b38e0ee1f4486d52657514

SHA1
af545dfa18a0f0850fa99493c47e7894407c8301

SHA256
9698e64fded93d72b28014926ec7db34eba675a78902520e04c67846d4e3bbd1

SHA512
ae1f321c5757fd2ff2aa914c386e737ed6a6df38dd5f6af4bc99b11b908d7d7f84d5745da4bcf32b978d27346023bd01690538ea52444abca6377437c311de4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c2e21e4f6779f22df682cfb966307fc9

SHA1
12d8a58d06cf3e2ddb4470683455175405a7434c

SHA256
04fde0037a64f374e38fc7a4c2d5c7d3c9cf1763646a453edcaf50c4076ca32c

SHA512
4d355172e9967b9525a8c011e70ec257b33069423d2678ea54e324243195edc85aba6d36c632dfa6a3c79c5c5f4afdde55cea56ac7420d511c1fd5eb625b2443

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
84646e39bc5e2e6405b650cb297b636f

SHA1
a2f0e071ca9132c33d26d3dda684f8f880031be4

SHA256
c84c0921b6327df4ace52f300ad2c4571c04a962880f5431f12d9619155c4fb3

SHA512
2957c95715c2ae71f05e8218137fef5d031a74a581aa394a5f6466f4625398a5189250a173503d87acfbb94d5c287dcf80b9b82bbff3c0f6d13c308690eb91a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
dabfc08f9798e2d0cab67e350c4b2ffa

SHA1
fa3964af4d43753d01d66f5330030bcb98176b16

SHA256
09e0654af9075b51c04a2bb649305991b81f33af9a882c4e7f365c556629f0d6

SHA512
8f8a61287b0831196e620a2b2785682485129c9981f5e97d9e88b0174f2d7fd84d576e9b06df9597a0c1428cc31a16412089b65ae3c69573d71d97d166816707

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
26fce3d90b6266b17db36852865bedab

SHA1
1cbf2b9d0704594f7ea4bf13f916ce8a87d04701

SHA256
0367e85228c87a8f57b97923d09e99c177a3ede3d694a95953b766ffa4c074ac

SHA512
db54734361153f95bb3a087f32572d0a950178302c26e4e8330d4be0056d3fc4c35274236f04bcb8f2edd86b57f5850c3069ce13835aa966cce96e5df237d663

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit