hxxp://usefathom[.]com

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2023, 17:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://usefathom.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133250247860366086"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1280	chrome.exe
1280	chrome.exe
4316	chrome.exe
4316	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe
Token: SeShutdownPrivilege	1280	chrome.exe
Token: SeCreatePagefilePrivilege	1280	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe
1280	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 4012	1280	chrome.exe	84
PID 1280 wrote to memory of 4012	1280	chrome.exe	84
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 3808	1280	chrome.exe	85
PID 1280 wrote to memory of 4296	1280	chrome.exe	86
PID 1280 wrote to memory of 4296	1280	chrome.exe	86
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87
PID 1280 wrote to memory of 100	1280	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://usefathom.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea7ec9758,0x7ffea7ec9768,0x7ffea7ec9778
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1812,i,16272612519091555334,18405119089246622452,131072 /prefetch:2
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,16272612519091555334,18405119089246622452,131072 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1812,i,16272612519091555334,18405119089246622452,131072 /prefetch:8
  2⤵
  PID:100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1812,i,16272612519091555334,18405119089246622452,131072 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1812,i,16272612519091555334,18405119089246622452,131072 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4724 --field-trial-handle=1812,i,16272612519091555334,18405119089246622452,131072 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5136 --field-trial-handle=1812,i,16272612519091555334,18405119089246622452,131072 /prefetch:8
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 --field-trial-handle=1812,i,16272612519091555334,18405119089246622452,131072 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1812,i,16272612519091555334,18405119089246622452,131072 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3704 --field-trial-handle=1812,i,16272612519091555334,18405119089246622452,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
e01f2c9375d0c858e58b07f108bbb507

SHA1
a9b2508fe3c7d6277ac83bfdd2a7e358bc37d66a

SHA256
6b544b41148b69a7c115dd1f70062f5c3741794121134e6570b8046fcc2f4682

SHA512
f23dccec29a806c0e6ca98001ac5d12d3cc80bb42e01a454b208c70591d9021ee32098f5fb5cce18e453c5a243ea3e08416b3dcabcce3e28efc38db771f1240b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b18b7f4f4f18e334c86aa53e5619096a

SHA1
09a782bebd4b00dba8d9f40f177cbe1cf413e488

SHA256
7b7eb55066ddb344fbd0f865464abe3289f8b63ecb4c05ce18d157cacebaa7ce

SHA512
fe51c8a2a49eef303a65712de48f2eb6b3785c59c00bacfc5b5c691677379653841ea1bb3e7e8f7c9a237d3662b3b5aba790bfa0c90c3c68642eb699ecf2643d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9f844948bc4944b6b9482da3630737ec

SHA1
98b0dab63e44b6474d8f3cfefeded76b94ab9d56

SHA256
8a3e74dda096d2effbd0ddbf1da6c618b0200f92b5d2539568565b1a2c21057f

SHA512
8e5d2f9a8a46e15d0bf53bb7b8e7d65405ae6a0151dc9aa026d4e66c25c7685e563029e20d7a152fc6955792b2912a39f44d1920791c189f9b5a7ef87bba13ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
af877b5b9c24a4d618954db2ea74a001

SHA1
ad3b3f4dc2d27ab980ca3b805696a4ccf74ed996

SHA256
8b5738de16d6e285d0077b63c776b1b718d7828fdaf2905649c5d6ee799288a0

SHA512
f04a69f8f00dd7a309b3273c65dc4b8eda8d4f0f59e9c223db9d6a074328a31d7f7c465c51ea10bc07dfff27ca69327abc91875015d70aba03d447f139f45abb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
992dfe855be6c119871a9e1cb813f21d

SHA1
e8796afcc1a3e02db90176599866cf85eb5ce34a

SHA256
886cc6486a701e89c48663d20842f797eaf9656d339f6eb780e2f39dbf11f34a

SHA512
0dde0384f8111870666a376d74d90d16e005a8ad1c395cd54a6d2de309390eed6308d41988aece551a5d472113a999787401a7330944d047dff6f9eaa432b1f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit