hxxp://172[.]71[.]223[.]27

Analysis

max time kernel
300s
max time network
260s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2023, 13:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://172.71.223.27

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133232748785590222"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
4744	chrome.exe
4744	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4012	5020	chrome.exe	86
PID 5020 wrote to memory of 4012	5020	chrome.exe	86
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 264	5020	chrome.exe	87
PID 5020 wrote to memory of 4904	5020	chrome.exe	88
PID 5020 wrote to memory of 4904	5020	chrome.exe	88
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89
PID 5020 wrote to memory of 4152	5020	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://172.71.223.27
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb46ef9758,0x7ffb46ef9768,0x7ffb46ef9778
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1812,i,13153816631614158007,4889698577895995261,131072 /prefetch:2
  2⤵
  PID:264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,13153816631614158007,4889698577895995261,131072 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1812,i,13153816631614158007,4889698577895995261,131072 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1812,i,13153816631614158007,4889698577895995261,131072 /prefetch:1
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1812,i,13153816631614158007,4889698577895995261,131072 /prefetch:1
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1812,i,13153816631614158007,4889698577895995261,131072 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1812,i,13153816631614158007,4889698577895995261,131072 /prefetch:8
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5096 --field-trial-handle=1812,i,13153816631614158007,4889698577895995261,131072 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3368 --field-trial-handle=1812,i,13153816631614158007,4889698577895995261,131072 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4528 --field-trial-handle=1812,i,13153816631614158007,4889698577895995261,131072 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4008 --field-trial-handle=1812,i,13153816631614158007,4889698577895995261,131072 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2804 --field-trial-handle=1812,i,13153816631614158007,4889698577895995261,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2992 --field-trial-handle=1812,i,13153816631614158007,4889698577895995261,131072 /prefetch:1
  2⤵
  PID:2740

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fccdd164e8bcef269e632a7ca3c2e2cf

SHA1
bda97bbd27748e26575711eec4b030962fad5f22

SHA256
5f12c738f1fa3c4a56d5b4ba0b5473c1609978f373b603b361359955924eed93

SHA512
f927ca1fb25db7178f5865fea0ce7986cbd5861da435faf71c2638051af177e2fe04f1f6b52abec78e27fa35e8a2d164dd3425703db848c92ec35ed970a0dfe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b32c3f34841c135b7149d7182ac2d0fc

SHA1
6c982b6382ffbb4e33ca0e613f3d79387ffe3e6d

SHA256
e1ccdf56e902949ff8c1aa9d739d4068bbad1936b97db99dec916b4c566b52fb

SHA512
935a76603bea7ae74d1e8b764687a9355c702cb16f1801695ef80e75848363cf92fc521b00d7664d0e19510dd9709128a309a80d7e830ea2ceb0362b36318167

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
629dc716d9efed2be3068e866d203e62

SHA1
f6f1514da4d967f8b40fa43c9e66351d95e4e4e5

SHA256
1a96d2ee60cc36bc818c60088af7da3a54bbc08280d4dcbfb49a307dae03662f

SHA512
f0916d3d1f628d3383a3cf082bc0143c782a3b4b67705edba5156f95b0645ead0d934d249c1a410cf516169bb64e3c9419041ac897ea6db89e9e3f505676f1ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
cbc66dfee9c11b9928305d38916360e3

SHA1
f766fe0ff1d4d950ce7736a8f89ede972bbc8dba

SHA256
57c6d97e09584f8a08a1d080e6ff582e96a622797cdd85bed1f77453632ecc72

SHA512
966e2474a1ac1ddb14261534c6b32981d59bbe394064f91e53a7a3a38e78d5c6ce9cddb79be527fdc43dd4369b7fba1f2da47a3e61e555eb29b70ca027ace2a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit