hxxps://abbqa[.]multibankportal[.]com[//]dl[.]gtc?l=85931408-417a-41bb-926e-63f23d157c5f

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2023, 03:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://abbqa.multibankportal.com//dl.gtc?l=85931408-417a-41bb-926e-63f23d157c5f

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133234161567752326"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1664	chrome.exe
1664	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1560	1664	chrome.exe	86
PID 1664 wrote to memory of 1560	1664	chrome.exe	86
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 3352	1664	chrome.exe	87
PID 1664 wrote to memory of 628	1664	chrome.exe	88
PID 1664 wrote to memory of 628	1664	chrome.exe	88
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89
PID 1664 wrote to memory of 4944	1664	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://abbqa.multibankportal.com//dl.gtc?l=85931408-417a-41bb-926e-63f23d157c5f
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9d3229758,0x7ff9d3229768,0x7ff9d3229778
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1856,i,7841546240023660971,8985343148920363904,131072 /prefetch:2
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1856,i,7841546240023660971,8985343148920363904,131072 /prefetch:8
  2⤵
  PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1856,i,7841546240023660971,8985343148920363904,131072 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=1856,i,7841546240023660971,8985343148920363904,131072 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1856,i,7841546240023660971,8985343148920363904,131072 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 --field-trial-handle=1856,i,7841546240023660971,8985343148920363904,131072 /prefetch:8
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1856,i,7841546240023660971,8985343148920363904,131072 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5060 --field-trial-handle=1856,i,7841546240023660971,8985343148920363904,131072 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 --field-trial-handle=1856,i,7841546240023660971,8985343148920363904,131072 /prefetch:8
  2⤵
  PID:2504

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
4d31910fa72e94c765194173ba11983e

SHA1
0e6896d76f74be8af620c28653348606247d0c0f

SHA256
28171946f16973a63d29c386b889af20881aeb523e4549aef816b8d01cc610ce

SHA512
a20b9159592862aaf3ce54e71ceb6fd55de1a14e2b82eed14f9d34dda9be70d2153d436a3d323cb7c00233728fd0217600801e76318d8c127a1c6953ddfd4f9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
59889bafae532f989cb675ec736023d2

SHA1
c3e8ab362e7f17306c9140d07c03265c7d94ac40

SHA256
743e1adda49fae4f9dca9d2974d4141cc256f2473011f3cf471acf58740e7649

SHA512
718a0395e3f2486f1beedcd73d9953e16cc22047cb211cfc237f8f418930a86119b7ebbde2afaa40119100dd961832827a714f650787f11cdd9f89aee3d53f29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
780ac29ec19163b31c424760361e4022

SHA1
473496167a1b351a960b13bb87a1b35c0ca05a64

SHA256
710e302b053b6b002e750b43d725396dbfeacff01b606ef0d75a891f231ac249

SHA512
43521a78f180ee58cb06dc6cdd2d112cbbaba2c8855074979ac2391b1e476bd1d5d4ed8cf93afb84b9dc009e27268817077c9f2894351c43f5d1f722734480b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
58bfe99c2261c04ed2313bf8b5cbb220

SHA1
d7125cc88fa282a18e5529360b838ccb19ad3179

SHA256
a0845c6ec5458fd3336eb63370a962f1e19e3479a15c21c9059aeeb8d9ea1482

SHA512
b64b181bc9984fa0308fdb3791c76a2e143f46b9742e15131bf23b03e9e6834b0127b97de9758466ddd8c63b5ab02f1b0b4aaee8965e0ac62ed9817141d03b31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c0bd65ab39dca49434b7f1e2a16770ec

SHA1
e8ecc51a841a13d55435837e0b90aceded44acf4

SHA256
4f9d3e43d48e374d5ab9408222ac9846e8bf5b63457ba8a9bf70d58e82008e8f

SHA512
6035eebc039455afb46de348c7a5be9525f105f856e25797a8af982c0c07407ed7b0092df6e542723f9a9c82458aac4a9592aff2f5d49ff35f8cea5d91fd8078

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
142KB

MD5
97a8d06471ae951bdf935616226ac783

SHA1
5bd2e528937f2bbc2ba70e387114248210d0b82a

SHA256
103b7c2b5f6085a0b81ac41366f69c6f545b7f7f78e97d86bcf301e14b1a4583

SHA512
f5166bb65cd80702ef47300aee57fe597a1aedd5caedfdbf670463058c9209ded5d258c8c78f4567c4a2c3ef7ba96b6fcff989a6895c4e7b27d922446499eff6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
142KB

MD5
1a1039ed49ec984bee058c3e00d53208

SHA1
1dd45308411a6479238ffaaeba797d448e903e8e

SHA256
216adb3e8c458f4c969b75c6cfaa82099083dfd930697d0b8bb6a61959029029

SHA512
87cb851f5a372342c1899555e3ecdec1ab37964d18addd7d0948e230d865ecfa73dbca1c252aff1ea77779f3ec6f0d0807cdcc7105075628aa40eefa3b509749

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit