hxxp://google[.]com/#bmFkaWEud2l0YW5lQGludmVzY28uY29t

General

Target

http://google.com/#bmFkaWEud2l0YW5lQGludmVzY28uY29t

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133238873068429569"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1304 chrome.exe
1304 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1304 chrome.exe
1304 chrome.exe
1304 chrome.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe
Token: SeShutdownPrivilege	1304	chrome.exe
Token: SeCreatePagefilePrivilege	1304	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe
1304	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1304 wrote to memory of 1404	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 1404	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3972	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 1956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 1956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe
PID 1304 wrote to memory of 3956	1304	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://google.com/#bmFkaWEud2l0YW5lQGludmVzY28uY29t
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb3349758,0x7ffcb3349768,0x7ffcb3349778
2⤵
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1788,i,1416329613802998558,3875834564960761456,131072 /prefetch:2
2⤵
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1788,i,1416329613802998558,3875834564960761456,131072 /prefetch:8
2⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1776 --field-trial-handle=1788,i,1416329613802998558,3875834564960761456,131072 /prefetch:8
2⤵
PID:3956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1788,i,1416329613802998558,3875834564960761456,131072 /prefetch:1
2⤵
PID:3376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1788,i,1416329613802998558,3875834564960761456,131072 /prefetch:1
2⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1788,i,1416329613802998558,3875834564960761456,131072 /prefetch:8
2⤵
PID:3764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4860 --field-trial-handle=1788,i,1416329613802998558,3875834564960761456,131072 /prefetch:8
2⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4964 --field-trial-handle=1788,i,1416329613802998558,3875834564960761456,131072 /prefetch:1
2⤵
PID:840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 --field-trial-handle=1788,i,1416329613802998558,3875834564960761456,131072 /prefetch:8
2⤵
PID:4708

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
3113ff5b687370fa87d6c961b953aa7a

SHA1
05f5f0f5bda5f05d77de591e2f858102298da17f

SHA256
1d3bffee2ff7e6067657c740932f47f72e72c2d85aba3d37fc448a0cdcbd8092

SHA512
32d79cdbc70f48f789f2a2d577e59b1eba29a9e06178ce075a1ebb9bcbfbcaf2584a723e599cb7b2782f83d4646c2ba94e882238ce64859ed7afbab1a8b526ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
36d42f983c5f649f71c444e81100a9a5

SHA1
959b294551dcfa5ade8d49ec4aa2b5824acf10bd

SHA256
c493c2f48cc31ed3863e9fe0de89f364b5bf04ef2bdb037d5db5f3dd293b49f0

SHA512
4351b6d69e26dd54c424aa7910f9fb4653ca8d664747ad0d58658d5f2a87745dabace6a62749bed520ef44d523e18fe08dbd7842b14d16725b68386a48626d15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
8d4179a878df25be97ab6b99f8e9ad21

SHA1
e40463a5e676f6eaff2fcad563c04aba6a208b2c

SHA256
52bffa782fbb57ad2506c397621e3b32d965e4b4c4e04403422ac12ac9c1ac84

SHA512
5eabd159c749524225d2b524c1b67aee3eccde7b5a96f3d81d7b69c535d59348684d78c06531579f902991725745f30a15021fb99c3911b19ea29d9d316a9c10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
3d2f498f3a0e0822c9a76249e756e24b

SHA1
4562dca7618e0a28600280dc6dcc3e072268c2de

SHA256
2b7794156981349feed414cd56875e16f8825d8d8e83397d0546f213efade828

SHA512
fb72dab8f177d49413a99c784abe2e5fee5f8bc3144ed294ccca357cc07c08901b80251a3e18a20a007400f32dd1c2f368504dc7f30a5354c05d08f80f8396ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads