e993828d3174b8f34f4c52f53f41ae8b346585b3d8043cd20516e86800650e0b

Analysis

max time kernel
25s
max time network
29s
platform
windows10-1703_x64
resource
win10-20230220-ja
resource tags

arch:x64arch:x86image:win10-20230220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
01/04/2023, 13:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

behavioral1.html
Size

25KB
MD5

742b0125ba9f662ebab6fa91dd114b47
SHA1

e12bac2b42f1e0362d57dcba9ba027442140090b
SHA256

e993828d3174b8f34f4c52f53f41ae8b346585b3d8043cd20516e86800650e0b
SHA512

153946623fa4d228fc61a98f61c180a2dfb08d8c68e2c7486decf5af027a793db1c27c662e0cea36b9520f0a77cdc46f1f38c70a231d5e0c9e294f49af996d8b
SSDEEP

384:tmsvZ0e3ujIp/n7M0IQqC9RZfxSAZn0fZ9TffGfMfHN93syZj5XCqzGX3G0:tmsB0GugIqjfxSAZnmZV3UWHN5syZ910

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133248366536437210"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4024	chrome.exe
4024	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe
Token: SeShutdownPrivilege	4024	chrome.exe
Token: SeCreatePagefilePrivilege	4024	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe
4024	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4580	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 60	4024	chrome.exe	67
PID 4024 wrote to memory of 60	4024	chrome.exe	67
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 3084	4024	chrome.exe	70
PID 4024 wrote to memory of 1544	4024	chrome.exe	69
PID 4024 wrote to memory of 1544	4024	chrome.exe	69
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71
PID 4024 wrote to memory of 2796	4024	chrome.exe	71

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\behavioral1.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffcf1c99758,0x7ffcf1c99768,0x7ffcf1c99778
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=1972,i,16527112148854513567,6663028714473197157,131072 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1972,i,16527112148854513567,6663028714473197157,131072 /prefetch:2
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1920 --field-trial-handle=1972,i,16527112148854513567,6663028714473197157,131072 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1972,i,16527112148854513567,6663028714473197157,131072 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1972,i,16527112148854513567,6663028714473197157,131072 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1972,i,16527112148854513567,6663028714473197157,131072 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4240 --field-trial-handle=1972,i,16527112148854513567,6663028714473197157,131072 /prefetch:8
  2⤵
  PID:308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4884 --field-trial-handle=1972,i,16527112148854513567,6663028714473197157,131072 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4828 --field-trial-handle=1972,i,16527112148854513567,6663028714473197157,131072 /prefetch:1
  2⤵
  PID:3348

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:368

C:\Windows\System32\IME\SHARED\imebroker.exe
C:\Windows\System32\IME\SHARED\imebroker.exe -Embedding
1⤵
PID:4672

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ace855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
13e8b9cc97dfb26cb07287fda20c7978

SHA1
68e3eb6a0737ae4e81dc39ec5ee7439333286aed

SHA256
d123a398846fbdeb16923d807de0383eed10d395ff987ef8394b34dc3d8581cf

SHA512
712621c47022b8696f24301798225449a9aa8f95ed8547177c9f2c54d862b828c60a8785d06581a44a8dbfc3fb8da14cd3aff7386d84026d747b3fff04835fd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
445746322a021e4a475a4f47cb00fee6

SHA1
40cb2af7133a54a3870d3094e027a9bb1dc7bb8d

SHA256
a1167ac1ef47619cb995e4e759d3ef5ec6666e44d2b88033f206361d6580df43

SHA512
012ee37db06ced8a83298a941c80c708abf48d7ea4894c6b75e2f650b6cb70bb942a47af97e720d2e86d63e71113ccf3816002289fc9cff71048b6f1e1f127e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1d90ba6be8fbfc68ab7a6634ed71bfb3

SHA1
92dd40393fe51d5e697c388939206347cf040af8

SHA256
91eab4ff087cd9ccc1cef2d51e814afa2375bb06cde3ec3a0f79be02bb848cb8

SHA512
e7f58ab428e33905f9d7007ceb3745580412acce77794af21f5a82c8580442111e866f5e5f3487480a0250ba9ee2fd3777fa727ac2b1542ac8fc40be442c5a84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
fe911bb117309b623a11cc9b737eff26

SHA1
eba495dc8720d326420d027f036a4859eb77058a

SHA256
96ea33c0773aeea9582f6ed9103b7f63b5779454ec63bcc3c38ba6391ef40185

SHA512
9500574fd83085c5cc3be3642c56a46e90c171f6134cd44902262a2f7b0539172dce57fe678d07575f5d4e545ecd103da65cab087a46557b8055628645245251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
7bf234f117d6fdecb269960c6d034c2d

SHA1
c23b620ab7504477844ef88b171f084c601f2604

SHA256
8d00362fee190191ff90980e83cffe4304bedf67bf003737fca5a41ea87bb472

SHA512
b69e725e81fc6efd33f892d7129cc0e14eefd022c0a0aa2740271287caee1b0ef7133fcfd64436e76cccf00bf23c9cd08fb91247d61848ac30d275bc05dda826

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit