bd27523d0e5b852f6a4fa1d7a9163ad361adbfb0b95541c7370d7f4e9b486cf3

Resubmissions

24-03-2023 03:50

230324-eea5laca49 1

24-03-2023 03:42

230324-d9r6xsea61 1

24-03-2023 03:41

230324-d8x1saca24 1

Analysis

max time kernel
61s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ATT00012002.htm
Size

210B
MD5

ec648e280ee68a08b16602d335687c33
SHA1

424af13b5e65931b6897386f95343e8693b7099f
SHA256

bd27523d0e5b852f6a4fa1d7a9163ad361adbfb0b95541c7370d7f4e9b486cf3
SHA512

038eb9622dfba3850d31178c1bbdd7e611a4281f53dd0fb39cc80132140df83887e42b617f636a2e07a77af5f3dc22742c4adf3d282a551d83a87545d9fed534

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133241065041613627"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1288	chrome.exe
1288	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 4828	1288	chrome.exe	86
PID 1288 wrote to memory of 4828	1288	chrome.exe	86
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 4312	1288	chrome.exe	87
PID 1288 wrote to memory of 792	1288	chrome.exe	88
PID 1288 wrote to memory of 792	1288	chrome.exe	88
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89
PID 1288 wrote to memory of 1116	1288	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\ATT00012002.htm
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb0009758,0x7ffcb0009768,0x7ffcb0009778
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1816,i,13394572055070849488,3769637189748587057,131072 /prefetch:2
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,13394572055070849488,3769637189748587057,131072 /prefetch:8
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1816,i,13394572055070849488,3769637189748587057,131072 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1816,i,13394572055070849488,3769637189748587057,131072 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1816,i,13394572055070849488,3769637189748587057,131072 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4488 --field-trial-handle=1816,i,13394572055070849488,3769637189748587057,131072 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4700 --field-trial-handle=1816,i,13394572055070849488,3769637189748587057,131072 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3188 --field-trial-handle=1816,i,13394572055070849488,3769637189748587057,131072 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5272 --field-trial-handle=1816,i,13394572055070849488,3769637189748587057,131072 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 --field-trial-handle=1816,i,13394572055070849488,3769637189748587057,131072 /prefetch:8
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 --field-trial-handle=1816,i,13394572055070849488,3769637189748587057,131072 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4656 --field-trial-handle=1816,i,13394572055070849488,3769637189748587057,131072 /prefetch:1
  2⤵
  PID:3332

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
f43598dfc1fb3957801b9498c1988235

SHA1
eac26bceafa2e37408a983175b838694b9e93f7b

SHA256
91f17b34d658626a9dceb841f69fdc2c7e654c3675f759af555147dce1f7dfee

SHA512
55e137b8b52c4894856980b36ab6db59e573d84e19ae1f7dd99390f823da07b65c6eeabbff88625d1c75f7851903fedc9128a9bc67fa436e50b487cef393e659

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
194774a3e144fcb528660a1ff56c1f39

SHA1
556d1334e2ffc284baa604d5af45714b07be1b42

SHA256
bb49610ffbfad798ffb1eb079514924e8fd4e8ab60180cda6c9b638c1439fcdd

SHA512
9fbce208c260a5310e7c65f7be4ffc298c2f76db02c41050418c14ae138b2818ef81f03575fa430cd321d19543fb497f461574fc9ccff2adc7e7616fe620c9fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f454c531587d4242f77112925093b437

SHA1
f63c46e2cbbed8bb90a13486051e1bba5c34c264

SHA256
4d2944b9ef7d5f1ec18cafc9a36a299aaaa64defbc6560cd071560afba3ddb4d

SHA512
06cd3399cb55ffb777dae3d0f943da1090850e2b4338bf533169412ede04ee7a01c9e8a3414a5c92cdb0643c784f7a453802ce261f3a4066fb48c86bcb28bde2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
697c9e903bae2185c9dfa0df39295200

SHA1
984075422eca2e62b725807a02dad00b1ba22e0d

SHA256
6e3d617372a8a47e941a0f673de6bc0b2656523a6141a6a9b18e1a4dc4465465

SHA512
24f50a9d2cfb4359bec52e710e8f3bd759bb636f86941939ffe38fd301bc474f89d5b40fbb32f76993ab67f7106dcba940ddf94e46594a23634700aa292968ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
145KB

MD5
5ee7f6f6ce65d82d73d7c94b2ed89e32

SHA1
0722a26fbccd580b8190c6e54a788ffdc8097dd3

SHA256
8396d1906185d0cf9f0ad3955816b5012b02aa44275b9de88e3b21fcc692b3d0

SHA512
8c2929471e2268f4d40d768d7a682f6e22b31e2c74c6aefcd9b553add30d0581d60411915a49cf944c955d197a5340422c0e38d5ff70430323eb6b2481f20236

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit