hxxp://pantheonsite[.]io/

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2023, 13:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://pantheonsite.io/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133239685618963047"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
4480	chrome.exe
4480	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2020	2524	chrome.exe	86
PID 2524 wrote to memory of 2020	2524	chrome.exe	86
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 2884	2524	chrome.exe	87
PID 2524 wrote to memory of 892	2524	chrome.exe	88
PID 2524 wrote to memory of 892	2524	chrome.exe	88
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89
PID 2524 wrote to memory of 4604	2524	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://pantheonsite.io/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb1219758,0x7ffeb1219768,0x7ffeb1219778
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1816,i,3562466006406221068,10441779766491602808,131072 /prefetch:2
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,3562466006406221068,10441779766491602808,131072 /prefetch:8
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1816,i,3562466006406221068,10441779766491602808,131072 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1816,i,3562466006406221068,10441779766491602808,131072 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1816,i,3562466006406221068,10441779766491602808,131072 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1816,i,3562466006406221068,10441779766491602808,131072 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1816,i,3562466006406221068,10441779766491602808,131072 /prefetch:8
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5048 --field-trial-handle=1816,i,3562466006406221068,10441779766491602808,131072 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3340 --field-trial-handle=1816,i,3562466006406221068,10441779766491602808,131072 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5036 --field-trial-handle=1816,i,3562466006406221068,10441779766491602808,131072 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=212 --field-trial-handle=1816,i,3562466006406221068,10441779766491602808,131072 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2796 --field-trial-handle=1816,i,3562466006406221068,10441779766491602808,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
9c68788080464554dfdc91589ece8a90

SHA1
145783383d3ef35d1530e4a6c51b6854a62ce0c4

SHA256
f586a08e289c745ede0d4fe990d577b694beb72c23e64a0fe45d9be883a1687e

SHA512
002b2de11f348f1a193b54a2c966f422b4229375948d51cbf61341d1f33849d28def30a30a241019a64d21af02c96abaf4da302df3266882e3740ecd85c46af4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
a43d72c909e692ae06a09a4f4ba95553

SHA1
a41ec30c0a077da5aaeb37f39b4348d247f981ee

SHA256
158333f972ee8a2d469551176f1b0b7ee0632f0f5e4f7d2dff5f98f8c2f2337f

SHA512
a2321eb8688a71f1e1fa55bdb5b5676083ce5a247961501d00ee73dda34539d6844aff97e8be4e9ab447a185eb2ce441997d8e145b677230d6718bba375c3a43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ca768f278aa17af6b2c1de09f11ee870

SHA1
ba5ba6776ac95968c96afc8620b8ac00f834dae5

SHA256
dee39c28cc0e08df4186950876aea1a277e085e696387dbd0cc801b22e266877

SHA512
3682bd382127ce365744c9a154473cdcfbf76f1e22550def7d4016d2c07f707c2d7f9a2c8a71adca4d78638f6dfc77cb9895dbcabed3e3a087ce6422a5492ab9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
463c42ab4adc8a8838850bd1102c122f

SHA1
0affc0a525dfdcd0a41b17d281560ba9dd0ceee4

SHA256
a50e79f6c00713672893dd7d8424633a1e6d11e38a6db8386c668668fded7a07

SHA512
f46ded16528bbcadaf6d517c733a7beb50292a8deab10bf7e91bf5e22c513e1b81ca78748e643fd1309e5a8008ee409fae62a601b28ec507b22f0617d77a7d06

Download Submit