af8baf048c880ea7b6d5a956f3161aaeb4c6178940969d649b99f0567d7a99a7

Analysis

max time kernel
151s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 07:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ATT42345678.htm
Size

2KB
MD5

48dc0985483f4835c63d69bd4b8c39d1
SHA1

af3a40798e26cd219c0695379f35b6b481bd6af7
SHA256

af8baf048c880ea7b6d5a956f3161aaeb4c6178940969d649b99f0567d7a99a7
SHA512

250bead6f246dee64cf98fd4473d9b6abf66475ae0cfcf717e0092f17f5ffdc10653492a026f0046c1e5945fdc7e53323058519368cd42fa91d2b7364daf5d39

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133241195158840489"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe
1916	chrome.exe
1916	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 1960	4616	chrome.exe	85
PID 4616 wrote to memory of 1960	4616	chrome.exe	85
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 4112	4616	chrome.exe	86
PID 4616 wrote to memory of 1764	4616	chrome.exe	87
PID 4616 wrote to memory of 1764	4616	chrome.exe	87
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88
PID 4616 wrote to memory of 1604	4616	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\ATT42345678.htm
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa29a69758,0x7ffa29a69768,0x7ffa29a69778
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1820,i,3774541039238763026,10855847622448375889,131072 /prefetch:2
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1820,i,3774541039238763026,10855847622448375889,131072 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1820,i,3774541039238763026,10855847622448375889,131072 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1820,i,3774541039238763026,10855847622448375889,131072 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=1820,i,3774541039238763026,10855847622448375889,131072 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 --field-trial-handle=1820,i,3774541039238763026,10855847622448375889,131072 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1820,i,3774541039238763026,10855847622448375889,131072 /prefetch:8
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1820,i,3774541039238763026,10855847622448375889,131072 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4960 --field-trial-handle=1820,i,3774541039238763026,10855847622448375889,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1916

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d4384f8dedfa47f290c986d55dbf3a4f

SHA1
a21030ce80b46e12cc11df8f61e89cd483b31c1e

SHA256
4e937021d7651d0b37210a51ec2020ccd6174ab7aab000bad519a2ce429572cf

SHA512
2cf27a7a17ca713b279c3c510d8e08feac994e8387e8e303ed3deb932f12197185e0b1b849f7479731d4502e2cb06507adf2c6aa1bfb930c923171d3d338e363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
281f6b4a42899ee53207a676a50deedf

SHA1
31bc99c593246c3b29dd86322373798cb4275d61

SHA256
6afddf8c502c795fd82b10dd1368d4ce5503157c99ce1833db9707785babf84a

SHA512
392bb0a3b8e34dca47a0d6ed1d20f30a58c4805bdd135b88b03d9486a1372bb6abfebcaaa28eacc4f0e34fcb0d80c43fd06fcc7b3c40369e32176e7cd18d90bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
54e9bf778690beba383d58c11b9b930b

SHA1
c70139016b4c9191af4d610b7d06402373eed3ef

SHA256
b2135bdc55de2a067239dff6dc8781c588ece86f2dd7a8096364f90dd843f5dd

SHA512
cdcb3e81ff19dad47e0f37c28b2c8056d15746d8119e7db650f8101754f461f9988e6c43893737e254b3a4bc8570efda926dac1c6b7f7bd54f3370d5e7450277

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ce38392c085746098729f68bbba23f27

SHA1
924387cb4762a5771f3295421738f9f21a5e1d67

SHA256
bd494aeafca25d8236935000011493544466e34f01cb422b263f29fd8234a95f

SHA512
ad064964b17105880b1bd4f11fd2214e9aa35f06fc984a4741e82fca480aa2e5fdf7a32643828315f11efca56e96c04443ef9564b2a79d3b7c003ef6826011d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7dcce8cd2fb85a543daf19b4011ea840

SHA1
5e09e7601d2698b4eae693f14fc80b1aad514dac

SHA256
66567fc6deb00452d73609b5f2dc58788bfc4787134674fe39fde2c3c7becf8e

SHA512
95bf1359b7461ce2db922029d8d96e15974d6ea34c1026e9641a680c38a15cc187daa014decfd2297d28fc5398468a5dc3e0e1ac3f10a8409e457e9db1000a15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
978266e20aaab512aa1d7c0806c637d6

SHA1
10a663c6a070aa9fa2e1d1f5b1536d1fab81da69

SHA256
c0db995f2e753aae859d81d884fba522945bc0c510489c8c2527bccccb96be7f

SHA512
fff8d793ca54cc36be06744ed3f2e74461d5851f5a32bddd0a29a510517e315d2fbcb9954ec9bdbbf4a6f00566989267f986e7ad17b461e2e8a75e15ec670e17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit