hxxps://bit[.]ly/3yWK4FR

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2023, 02:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://bit.ly/3yWK4FR

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133244510611559553"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1856	chrome.exe
1856	chrome.exe
4748	chrome.exe
4748	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 4592	1856	chrome.exe	84
PID 1856 wrote to memory of 4592	1856	chrome.exe	84
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 1488	1856	chrome.exe	85
PID 1856 wrote to memory of 2648	1856	chrome.exe	86
PID 1856 wrote to memory of 2648	1856	chrome.exe	86
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87
PID 1856 wrote to memory of 3948	1856	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://bit.ly/3yWK4FR
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3a679758,0x7ffd3a679768,0x7ffd3a679778
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1892,i,16052558183956761386,1059356615491949865,131072 /prefetch:2
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1892,i,16052558183956761386,1059356615491949865,131072 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1892,i,16052558183956761386,1059356615491949865,131072 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3204 --field-trial-handle=1892,i,16052558183956761386,1059356615491949865,131072 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3228 --field-trial-handle=1892,i,16052558183956761386,1059356615491949865,131072 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4588 --field-trial-handle=1892,i,16052558183956761386,1059356615491949865,131072 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1892,i,16052558183956761386,1059356615491949865,131072 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5080 --field-trial-handle=1892,i,16052558183956761386,1059356615491949865,131072 /prefetch:8
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1892,i,16052558183956761386,1059356615491949865,131072 /prefetch:8
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4916 --field-trial-handle=1892,i,16052558183956761386,1059356615491949865,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
69abc1c32d418ba9f1fc85a4675bda3d

SHA1
0e5290ceafc8c488fc7d8d85a4d5568e09e5d595

SHA256
24bc1f694af488ad3da64936470102560ada8b4b17b7c5d41f40c10aa563344b

SHA512
905f8f01d7c57a8d9af2c77b81dbfd7e9cfdb0542e432dfd701ba48a2babc098cb3e996ed69a5548c1104ae17367cec6ff4a75ba139e9ff2a92ef996457ebd0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
702B

MD5
46930532ef861d003ea96abed8fb4030

SHA1
20a0072048c0f2354adb0a418b5884fcadb6f79b

SHA256
41e12788d8818c7b5bb61ca02a20aeb8d594c806a7cca51f6398669884866372

SHA512
3514917f31bc4713ee2c0a6f7249c28656467e01cb1c3d59db8fb2ad9fe9cb44c5df1bc71789105160b754263b917a94bcdce429e6d3b4ed3ef86f2ca4ccd64c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f6a93c40e12ad1524b73c137de5cfbab

SHA1
7508e4b590a6eafd7f6872f6a4655d515b1d3b74

SHA256
14861041e5beac59153d6d47f18c1156e860d6fc41dd4f61a839b9e32eec86f9

SHA512
f407f75a2afda2a4a595d262b858ec9d859cd4db8ae8144966465d3bd1d317b91c5ab430b13db213aeb3eb55cdedc4bf5c24ce4146cccb1493600909f0af9fb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6780ccd1e95c4886ece3a8a7a3bbee6e

SHA1
0be7986a5399f334ec1d79b831780a976b119c92

SHA256
8af579b124cf83ac7022cb04d1fc5f2ebefdaad3c2a0d8a0398a03c0620bca7e

SHA512
9e176b65e957453d279d834058859f96c51e1edf3a57bc70d216d24bfe17319f96b081815b02527638c9907697ee9a22ffb90e0da324dad1fdce8937146d4343

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
144KB

MD5
847a599fe03690c2c53809a9eee318fd

SHA1
8aaa022c848b5d47bbb91c47160ccd8a7fb74223

SHA256
9e6269460dc69e874013ffabccdc849d5fbedd1172468a925226e640aa55c65f

SHA512
679801e267c3c662a941507a8f8166f480d88b173c3f1812bd2570deafa1106444f9316f4170965d1c7e68b43a2781fe8359f8f4bf1071cfca0cee22462fdc6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit