hxxps://goat[.]app[.]link/?$urlString=airgoat[://]home&$desktop_url=https%3A%2F%2Fabcvendas[.]com/%2Fimages%2Fauth%2F/fjxtgi%2F%2F%2F%2Fairimp[.]hel@scangl[.]com

General

Target

https://goat.app.link/?$urlString=airgoat://home&$desktop_url=https%3A%2F%2Fabcvendas.com/%2Fimages%2Fauth%2F/fjxtgi%2F%2F%2F%[email protected]

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133237797518442548"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4292 chrome.exe
4292 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4292 chrome.exe
4292 chrome.exe
4292 chrome.exe
4292 chrome.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe
Token: SeShutdownPrivilege	4292	chrome.exe
Token: SeCreatePagefilePrivilege	4292	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe
4292	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4292 wrote to memory of 2384	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 2384	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 4140	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 1040	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 1040	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe
PID 4292 wrote to memory of 320	4292	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://goat.app.link/?$urlString=airgoat://home&$desktop_url=https%3A%2F%2Fabcvendas.com/%2Fimages%2Fauth%2F/fjxtgi%2F%2F%2F%[email protected]
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdec179758,0x7ffdec179768,0x7ffdec179778
2⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1860,i,2723462158479119143,15487541022408005027,131072 /prefetch:2
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1860,i,2723462158479119143,15487541022408005027,131072 /prefetch:8
2⤵
PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1860,i,2723462158479119143,15487541022408005027,131072 /prefetch:8
2⤵
PID:320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=1860,i,2723462158479119143,15487541022408005027,131072 /prefetch:1
2⤵
PID:1188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1860,i,2723462158479119143,15487541022408005027,131072 /prefetch:1
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4520 --field-trial-handle=1860,i,2723462158479119143,15487541022408005027,131072 /prefetch:1
2⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5000 --field-trial-handle=1860,i,2723462158479119143,15487541022408005027,131072 /prefetch:1
2⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1860,i,2723462158479119143,15487541022408005027,131072 /prefetch:8
2⤵
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5132 --field-trial-handle=1860,i,2723462158479119143,15487541022408005027,131072 /prefetch:8
2⤵
PID:428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1860,i,2723462158479119143,15487541022408005027,131072 /prefetch:8
2⤵
PID:1756

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
ad016ef5f2f8f68ab771d855e7b886fc

SHA1
0c68c2ff868a8756fb657a7c08bbdb1d7d328ef9

SHA256
2151acb3e1e5f85d65cf297a713958a27398aa60a2d400684743ea4f7aff75dc

SHA512
a38fb303ea5f4c91acaecef7f2f53326daae2b7fb17b449b6c0e68e1e43fc3e544b86ac20389f4ba374ef4d342b12516a3aa2306b6e1a598f5960d68daa72247

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
1c5f5abf191b862e0ffc72481bcd38e3

SHA1
d41d3982d008d1a8b0e22d3c9fce854c8fa48890

SHA256
641405457649aa20c37b6e2841cadb8d1ee57b823056f942d922a23aef1022c5

SHA512
8d54753feb713535175bfde130ddc5ecc93431239f6157bec925cd6d088766712f41f321e804a77de8a5cbbc65537fbc56e237e9bbcabe2ccb2693ffc8ad93d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
eb16e2628763cacb124747907fe0d575

SHA1
e632e7f79cec7d75352467a965d8f91f709ab512

SHA256
b691c0c24e3687e1a84bd8ea9cbdb9716a7f38d4d8ae7caf6d23c0224a2a08bd

SHA512
d823e0231085c86cb57d74cf91ffb96f5330d9b4824cc8aff3462d9bdd16bb260e526ef3f92b26327f37c8b4c7178ee58531f59dbbf0bd9d7dfd0dabd7c41703

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
143KB

MD5
cf56886540056ccc6be2e8d4c08a8a3e

SHA1
dabf023923534d9101b3a7731f27ebc348a03948

SHA256
415f913687e43f064f3191ffbb64e9ad02c3ac0628e748cf166b846aa2a48566

SHA512
49880b5b47c29da38d6e478e34e02961184fcab15811bbec5782528aaa3a4e03e166371799291270a002b3807babd3ee3a995b460875f978ad7a2d398977b789

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_4292_XXUTJVLCNUHRTRHM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads