hxxps://teamorange[.]site/wp-content/css/qaaaa/

Analysis

max time kernel
150s
max time network
149s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
21-03-2023 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://teamorange.site/wp-content/css/qaaaa/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133238986569141705"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2272	chrome.exe
2272	chrome.exe
396	chrome.exe
396	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2272	chrome.exe
2272	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2312	2272	chrome.exe	66
PID 2272 wrote to memory of 2312	2272	chrome.exe	66
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 2524	2272	chrome.exe	69
PID 2272 wrote to memory of 4188	2272	chrome.exe	68
PID 2272 wrote to memory of 4188	2272	chrome.exe	68
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70
PID 2272 wrote to memory of 1432	2272	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://teamorange.site/wp-content/css/qaaaa/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbb74c9758,0x7ffbb74c9768,0x7ffbb74c9778
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1976 --field-trial-handle=1744,i,8506872318844686385,2821242527220685206,131072 /prefetch:8
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1744,i,8506872318844686385,2821242527220685206,131072 /prefetch:2
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1744,i,8506872318844686385,2821242527220685206,131072 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1744,i,8506872318844686385,2821242527220685206,131072 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1744,i,8506872318844686385,2821242527220685206,131072 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1744,i,8506872318844686385,2821242527220685206,131072 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1744,i,8506872318844686385,2821242527220685206,131072 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4368 --field-trial-handle=1744,i,8506872318844686385,2821242527220685206,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:396

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
3daff3e4d26221aa243fd3fe137ec9f0

SHA1
5e43470078e3d9f00d4c070f6c8bc20ceb60c77e

SHA256
79502255a4b36a492fa639fdf2c3cec46f948ddd441d89df5d2f29b45f4e5c63

SHA512
7474c94929de67d45a4041d0df48c4226efb4e9f0c87fa4e93fae5197368c4b6eb2645a33026632a7bae834e3329276dd14986aa3adf561ffbbdadb759d06e87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d758fd6e6d7342ae84ac856a1e1de721

SHA1
fc90d8957d467ffac7d35361c17b0e9608ae6c12

SHA256
4db4defa269a4a6ae0a257d28a434b1d136169a1738a205f537821b26ebde0d1

SHA512
55e90f0622ab25f1b907a0e0cecbf15021ac238f8fc83d43e803df5ddbd1b2dbe01dfaef67d42581a2522f0157832d079593aa9b297d07542a0ff77546a8a970

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b1285947d76d900c9ca57302fd5d993e

SHA1
80316ea9e9ca797fa114b6407e422f8d4348d5aa

SHA256
0f4628047a67b68fd6e1b03edcf68cb718f6a22e9196870a6a9b994244568e54

SHA512
e054a981470ffaf8398d6bc51b5296061871dc2a682740ea0ca49a7e5cc7f14ab84320586e748540109300e7f93ab19b42a33e94c79e4d0681849b2b2f8ed86b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
d3d9b633d522a86878631606ad17dc7b

SHA1
5adedf963eb0f0f5db3dd794f7e74990cb76b70e

SHA256
9f3e948a2109eb389571758cdf477e1bc1f51b28c680d5a8ca945bdf5f6fa58e

SHA512
9423895016d6c746b23c66bc01f5a6c5cc96e1c14630fb95d6cadbcb582e6d6ccc06f93f246918ffe78ee940da0a75d33f50edf82d8c6f95bb82ba681b1aa4a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
603c721e5452fa6db3d9185c376c9828

SHA1
17c097047174dac855318032520bf800ceefa5e6

SHA256
668d87892642795431c166fc57cd1b006d6d1126b19528bbdfdbed54eedcba4e

SHA512
9ac38c7fa60f3fad0a897246abdb57051bbdb56ef63f4000237bd87c9d77c7eaa89cdd7a75608d24a3e09688170b6053fced719054dd088306029a6a463eed31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9a53fde0ef01cd25d975e437ba2fa916

SHA1
259ed223386fc934c31568acaa014838fb7eb9ef

SHA256
669060fc63ec8bb7ab5e88b813ee8fbcfc252b284876090e13fda4b515cd4ff8

SHA512
4e14aa2b3acb816e9aa52133c286d074ba3708cfff11f4c3b2511855ac3163d18df4471ea837cbf8f972aa98dc3ebd6e2f73ca8a85931b3d29d4b132d1e33139

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e3b440eb-df33-4d17-989b-ec5110cfe404.tmp

Filesize
6KB

MD5
60373671bc669e28787d09663bb18708

SHA1
6fe7275365fd9c84d564837e50b0384d2219e72b

SHA256
7d19243fe8ec7132cbc6c8f8295d972d72be9bda67155f18f778c2ad7509ec97

SHA512
9580f110fe5f17f3bda532cc296349a295aa07387c54b55b7be1719d47f03cc347b320fcf9c2f27c035de27885b29b65965b695260937472e5760f26229f733b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
d70626d018f168bf3e7773e194198379

SHA1
bb3579d708ec645a21f9ff1873a41531e632496f

SHA256
c75248669edec09ec66f1aa4737a8bf3e84cbf11918364497c0e2ca0398a65c9

SHA512
f839ad8227446319d9eae70630e6083dee65e6ec83ee8354521f95bcf7b787e1bd763c573316ff55be301e2e69f221fdac85a1618dc8a6a0e7dec1df42991bca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit