hxxp://sslip[.]io

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
23/03/2023, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://sslip.io

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240825858593420"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3044	chrome.exe
3044	chrome.exe
5084	chrome.exe
5084	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe
Token: SeShutdownPrivilege	3044	chrome.exe
Token: SeCreatePagefilePrivilege	3044	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe
3044	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2356	3044	chrome.exe	66
PID 3044 wrote to memory of 2356	3044	chrome.exe	66
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4388	3044	chrome.exe	69
PID 3044 wrote to memory of 4180	3044	chrome.exe	68
PID 3044 wrote to memory of 4180	3044	chrome.exe	68
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70
PID 3044 wrote to memory of 3924	3044	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://sslip.io
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffea8da9758,0x7ffea8da9768,0x7ffea8da9778
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1864 --field-trial-handle=1748,i,3867886648668694149,5821695072296096787,131072 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1748,i,3867886648668694149,5821695072296096787,131072 /prefetch:2
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1748,i,3867886648668694149,5821695072296096787,131072 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2744 --field-trial-handle=1748,i,3867886648668694149,5821695072296096787,131072 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2752 --field-trial-handle=1748,i,3867886648668694149,5821695072296096787,131072 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4724 --field-trial-handle=1748,i,3867886648668694149,5821695072296096787,131072 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3064 --field-trial-handle=1748,i,3867886648668694149,5821695072296096787,131072 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1748,i,3867886648668694149,5821695072296096787,131072 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3448 --field-trial-handle=1748,i,3867886648668694149,5821695072296096787,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
d142fc673477035d0940903026d6ec58

SHA1
33388bf2534ba1f4f278c4c92f83564fbfc3a626

SHA256
5ca14efb120b2ecf167f965e4631d56b01b9b5664bb9975e7022f0e36c072678

SHA512
fb01ad399b38fc53dcf48c80768e8ec4d1fef731c047bc975375814a57816ca4cbda20f5d8017b033e2cbb518e80695fc41bafb601df31ea2aa64dc7c0b708d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7192d3058232c954982203904bc3b866

SHA1
447ef260b0b715979374c2da3690148029b171d6

SHA256
7e0ab2bceb2e25e9f8dde00fb306ab9079b4d66d2cfb3e50044fad0ac1455c8f

SHA512
c2d73b326d41bddb10e0006335ad718a4c891a15c5e53e5b4969557129ef3d5d4ed1cec50d511cc1bda0531e80b9c286de5fd3d62bb2a151085e948af7afa308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
186834012379fd00934b8684fc41c4c3

SHA1
b8fcce9f17b8d7a4ff672fa59a95d203f53fa042

SHA256
067629a10d72497710346d790a0b66ed30651719325fbdf555d5199578f4a976

SHA512
78ece8f148c768c730648008588198df15be3eec6cff3e4f000f7eee81dada981555a85ab7a109064153a209407483e6716b310102bf0122e8fa207eb5498051

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
39b21d398fbece7f19f4f370a88402ae

SHA1
76a56312c828a0c7ce31cb05e9b4894fa98af88a

SHA256
2973f8a9eb2d9c470269f5a979e2a33f2e07d6c866ec6b5262b17cfc66ad4e11

SHA512
cf6b3100fb888081c5cb6aba30f64c949f5edcb5682c0b94ff70cdd6e6838b0cf789c7ea6ab502dc9c396c79f51beea43a460f1feadf4b360f7b864faef5ebae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
577ff455c48145188d9b5f1525fe0356

SHA1
7ded464c2dd0ce543140f7f667616e2f25c8347c

SHA256
a47630c03c95a84a25d08dfd4005677c0067408b967e09548ca8536d118473b3

SHA512
dcdb99188de8e05c20d06f4ead8acb76a1431883b0f23a0bca38bb7421d77765652a22eef35f7a6b3ad89c6669d6f4583189f3d66140629631ef97aa96c22fdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2131ee6da874d1198d9189cf068aab7a

SHA1
b3fc7552f1bb7ea7c8472e035150ec311ebca464

SHA256
46461589004a116261ad36485022513fdb296fd40ab578ff3604baa7c3247dd8

SHA512
b6cf100fc8d80a314923e880650cc5076762cfb1f75bcb85eff72c09cdbbc00e900ebb14a31dd0a02af929a9bf17b07cc938519375fea98879bcb2ee3a9d4586

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
145KB

MD5
b4628d8ed54e2b3a613ce566ae76028a

SHA1
5d8d8aa6ec1108af7f1429fcb7ec08e8733b5554

SHA256
2c8f8421c6f7fc135eee7eb19bba150bbbc85693b296d3e6620facae66edfad7

SHA512
cfa5d7aea61c59146e6c6fc2b3a193f56bff683851e4d951dc4ff2778c6f8721cf584ac1288d9b5cab4833afdce2ac5707b04e9f879746787e952b71652bd454

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit