hxxps://www[.]rrar[.]com/events/2023/04/03/rrar/panel-cultural-competence-in-real-estate/

Analysis

max time kernel
300s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23/03/2023, 18:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.rrar.com/events/2023/04/03/rrar/panel-cultural-competence-in-real-estate/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240717147898452"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
436	chrome.exe
436	chrome.exe
3880	chrome.exe
3880	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
436	chrome.exe
436	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe
Token: SeShutdownPrivilege	436	chrome.exe
Token: SeCreatePagefilePrivilege	436	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 4616	436	chrome.exe	86
PID 436 wrote to memory of 4616	436	chrome.exe	86
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 4960	436	chrome.exe	87
PID 436 wrote to memory of 1568	436	chrome.exe	88
PID 436 wrote to memory of 1568	436	chrome.exe	88
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89
PID 436 wrote to memory of 3668	436	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://www.rrar.com/events/2023/04/03/rrar/panel-cultural-competence-in-real-estate/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa75489758,0x7ffa75489768,0x7ffa75489778
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1804,i,1342260840305645911,6369465711381611683,131072 /prefetch:2
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1804,i,1342260840305645911,6369465711381611683,131072 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1804,i,1342260840305645911,6369465711381611683,131072 /prefetch:8
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3200 --field-trial-handle=1804,i,1342260840305645911,6369465711381611683,131072 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3220 --field-trial-handle=1804,i,1342260840305645911,6369465711381611683,131072 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=1804,i,1342260840305645911,6369465711381611683,131072 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5396 --field-trial-handle=1804,i,1342260840305645911,6369465711381611683,131072 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1804,i,1342260840305645911,6369465711381611683,131072 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4800 --field-trial-handle=1804,i,1342260840305645911,6369465711381611683,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3880

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
bad7d75769628153927d7509fd5def65

SHA1
94c39dd2e7a7a79443474ba82b8e1e259588f9b1

SHA256
cf4f3004855e03a58cf3bf4a6185633413d12c4c329ed27fb61a4c05c71aa88c

SHA512
7b3d85464b6c89ada7dc261f11c8b507b8f3ba840d32ed235ae41fff36f3874c8b5f7370ec59720abf079720c32eea2a9837809e7ee87b055d55e3dfef0cc9f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
8871480c640dd7ab0f25b660fbcb8cdd

SHA1
f4214d8a00ab9f5aaaed4df131598a53dc6f83f9

SHA256
944a07d0ea8e811d252eb49184da7fddf5b692f82a7f16b508217ac367764c44

SHA512
c3eb4626fa930855cf4bf2b21e4aacb7e9d566fb6026945d2fa69c06aa057b8f0f54de8a81c81f03a17f22fc362e76fa8e07ac1c9140f121872d590ce0038971

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
cebfcc1f33773f76ecd53d4ccfaf46bc

SHA1
f7a6afc9e94c94327a0edfc0a5274b7362f937ae

SHA256
6d552dbaa04f78c222446c886783c3ebc703d2f2ed01a0b9ee7ff8a80af97923

SHA512
7e9c01e035c23625d1f6f5cbc8dc724e6f0ade7fd8e7603bf9021cd1831fa92eed7d5adf6e7a473dd1f7e173ba9b121afc16b1c1b0a09d0e7969626099dd94bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b17aa8a75db74e50af5e93bfe8ab01d2

SHA1
996de8dd09c1cbe99bf50276c5b940141e169131

SHA256
81f4b282a93b9d361e6679b40786b6362a1f1d3e4d1776c577bfc7f9809e89ba

SHA512
621a7428c7c98c6f2d5017c9802a2a58136ce12766169de0b35905eac6f6e4b87c7f3dd2da82a556e1e14509014afbcc9efe7013538f9db14e585dba8537d49e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
96f19e4814f988da5824fa31171abb0e

SHA1
67c903bfacf5c0cd53c766c5c373a2c91b6c5065

SHA256
6ef8d1ef61046500ba2da669f4e31b88bb7fb7cee657e89432a8a6b7f29073b0

SHA512
e52af5ae8042fd205a4aff328202b7f9bcf23828e8db42bc49fd64205a90d8973929d717ef28343536590264ec793d420d0628a6e8d6e1415a717164835bd0f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9dfaf97e8c42da34395d51335b9e8815

SHA1
35cf6c65d8e0f46c3258b1252c7b6af74978b422

SHA256
2a07d52891c151b2c5f43be9fd6f1e2ca378e1f1fec6247ef656c55359a0eb23

SHA512
33c44b1ab3add9171995e38dbe1c6dba8aad998708dbade3e30e5da6a888cef53e536bb20fc396e2f5fa85b93a282f72312c1502d11502fd36927244fa7d4b84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b2a101eea717549b024d010ecf609012

SHA1
21d572b50634136a9e50f90d06918865fa215210

SHA256
b79afb70ccf2590849bc2e2928fdafa9492c6355f25fd456f13707e93e9c13fb

SHA512
a91e5b96c04d24f9b3290e4a5e26f950c29468e96e15c917e52826eae10ef0d80c11f2cda1ac047e3d6f3efb317de6e952c75138b3ef659ecc437428a306a51f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a7655eb4295bf55a7d4efcc176ba55b9

SHA1
993477bca997661b01b67c5e3220db2cdcdd1d6e

SHA256
2148b88ba31238b0014dab2acfcf2fe4f6163e4709b71f1a1c4d5166d1f02efa

SHA512
a325c4a2701610c3b17a07da02a22fd8ec281fb7d8b356ea2626f57546082e3c80cec5356da83e492eb6176c38a07d29e6c76b6d963b4d2a0b9fc3141a385655

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
145KB

MD5
7772d698718fc661515eb8724ef3610b

SHA1
d3791974f9f34878120c58262c0744c7f0e2bddd

SHA256
5ad6efb290e9e63a161f5fef6ba3494d9c1709c07d025774d52edb15d93a1ccb

SHA512
3f97bdafcb6d09c069ddd92473f59463fa2d6faf373ffc210584ae814b1e58a7750034d65a5c5a837417c75614ed2d24051eeb4c478c6236ca6ac5e13a407ca6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit