hxxp://ec2-54-202-43-228[.]us-west-2[.]compute[.]amazonaws[.]com/x/d?c=30330821&l=49311c73-4226-4e3a-872b-0eb3f9f6dac1&r=99147103-1af7-413e-a720-c25d9714f43c

Analysis

max time kernel
53s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2023, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://ec2-54-202-43-228.us-west-2.compute.amazonaws.com/x/d?c=30330821&l=49311c73-4226-4e3a-872b-0eb3f9f6dac1&r=99147103-1af7-413e-a720-c25d9714f43c

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133243948147792641"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4492	chrome.exe
4492	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 2876	4492	chrome.exe	84
PID 4492 wrote to memory of 2876	4492	chrome.exe	84
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2960	4492	chrome.exe	85
PID 4492 wrote to memory of 2304	4492	chrome.exe	86
PID 4492 wrote to memory of 2304	4492	chrome.exe	86
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87
PID 4492 wrote to memory of 3780	4492	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://ec2-54-202-43-228.us-west-2.compute.amazonaws.com/x/d?c=30330821&l=49311c73-4226-4e3a-872b-0eb3f9f6dac1&r=99147103-1af7-413e-a720-c25d9714f43c
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffade6e9758,0x7ffade6e9768,0x7ffade6e9778
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1812,i,14464616945964362610,10511273324800974068,131072 /prefetch:2
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,14464616945964362610,10511273324800974068,131072 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1812,i,14464616945964362610,10511273324800974068,131072 /prefetch:8
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1812,i,14464616945964362610,10511273324800974068,131072 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1812,i,14464616945964362610,10511273324800974068,131072 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4752 --field-trial-handle=1812,i,14464616945964362610,10511273324800974068,131072 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1812,i,14464616945964362610,10511273324800974068,131072 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5240 --field-trial-handle=1812,i,14464616945964362610,10511273324800974068,131072 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1812,i,14464616945964362610,10511273324800974068,131072 /prefetch:8
  2⤵
  PID:4400

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
58475d235386a0f56096f549905d6f56

SHA1
239159d149284a127d731d3dc364f61c99262211

SHA256
5f27421b64b3a3726bde8af106d4b7f4a01ff6661b43830d3f276ebf03473959

SHA512
229fc74c16f3821ae05eb0c9655597ae00e1547d3069460b9118d944d8861c9215451f708f0829c5c0acecbb4cca0a4d408a7f5a643b30700397fec924c420f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
122bf082c7ba6b7da28a00dc92bf7fcb

SHA1
85829f20b59e723abec25197b6cd897a8c961eda

SHA256
4cd7312aaf52619a5b2ad52e574169ea730f436f67053c6177fc1e9f64a472ee

SHA512
53c857430a7033a046799347e8100f4ac6a9dbd5c07c9685b72363e27d84535d150ddfc976c086f304f7779f63272d386a83fdcd08fc3cc12afd2490bdd5adc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
25f0a9938a867bace6695110fb24a935

SHA1
ce147ee82f6e96055200bd2b3f6ae6fa39499230

SHA256
4c205a21380ec08710a3d2ea6ef9d70cbd97e88d1b25310286f4e94229a2ef09

SHA512
388ee45c0a5a0ec25dac6b7495d3219599e348b574b4264c5b2f77dba6ec3e29db0a459be1ce99328c8b2f99c8a5440c5a12185264a41ba76ad9ee42b8afab95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4054ecb66ee353dcdb3db7d7d47c5eec

SHA1
3ffd4bfd464058ed9b5626e8678b8821f422bb3c

SHA256
4d8d90e49bee5b4081c21c2a9ac5276c4bb7e88df546ed5c6524155c9a7aa1bd

SHA512
ea649c42420525d4cee15fbe2720e9afeae0b51ec4df90738f8535d8dc9fcfee8671d34dd30371000c2e641d5b58a0b5417decff4b3f9229a7a3b8b0d90b501d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
ab693da25ce1c9a09162a546b2ae10cd

SHA1
1c74650c24e0f1add99d7b4bf06a1bdc5818972d

SHA256
224220fbac3e4e841aa69b0f78989fcee4fd5607159d13a66bc1acd60c52efe0

SHA512
530d1ca9b336653f54ecb7fab49d7729bb65f0ee2e923ccaed9cf1b182d208a0b90eb9668af7c91f3347c66b4c253b095db25bac6ab6a796b7c36ee58c775c67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit