9e184a81c384f72db69b87b93c9c465c0a4c78bdf36991f7cc7bbdee8e3da082

Resubmissions

11/04/2023, 13:38

230411-qxjp8sec9z 6

11/04/2023, 13:37

230411-qw1blaec9t 1

Analysis

max time kernel
57s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2023, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remittance-RNP583879248D11.htm
Size

148KB
MD5

77e7491ccd5d165869f8dd5451606eec
SHA1

dc956330e525dbeaf83d8c6257c2041f72bbefa5
SHA256

fd86758bc22948aaddbf139e0405d310ad05686150a0b207626b9490e60d25a6
SHA512

54d2c559f5fda9a1a9642f9385e10d42357a453f3de90f88e38cbf31af168b6f2fd03b362c473d256e8d18c3373eb9c240f94eeae76d59f5727cbbab0ee45d92
SSDEEP

1536:YX3r4b1yY0Yw8yyQVnpx9KV26kJZ2gNa0sSe2En2yvJN1ga+l5Hrrjw1rI0KwAPu:e3Y1l5Mx9ExkGgac5LrjArI0KtPH1o

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ipinfo.io
16	ipinfo.io

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133257011244791481"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
220	chrome.exe
220	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 1088	220	chrome.exe	83
PID 220 wrote to memory of 1088	220	chrome.exe	83
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 4148	220	chrome.exe	85
PID 220 wrote to memory of 2832	220	chrome.exe	86
PID 220 wrote to memory of 2832	220	chrome.exe	86
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87
PID 220 wrote to memory of 1176	220	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\Remittance-RNP583879248D11.htm
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d90d9758,0x7ff9d90d9768,0x7ff9d90d9778
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1772,i,13938621844884428010,14214988679979828877,131072 /prefetch:2
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1772,i,13938621844884428010,14214988679979828877,131072 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 --field-trial-handle=1772,i,13938621844884428010,14214988679979828877,131072 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1772,i,13938621844884428010,14214988679979828877,131072 /prefetch:1
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=1772,i,13938621844884428010,14214988679979828877,131072 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1772,i,13938621844884428010,14214988679979828877,131072 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 --field-trial-handle=1772,i,13938621844884428010,14214988679979828877,131072 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5392 --field-trial-handle=1772,i,13938621844884428010,14214988679979828877,131072 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5020 --field-trial-handle=1772,i,13938621844884428010,14214988679979828877,131072 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4892 --field-trial-handle=1772,i,13938621844884428010,14214988679979828877,131072 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2772 --field-trial-handle=1772,i,13938621844884428010,14214988679979828877,131072 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3560 --field-trial-handle=1772,i,13938621844884428010,14214988679979828877,131072 /prefetch:1
  2⤵
  PID:5112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
72b3b3dfa8fe6f50c04670cdb5e29357

SHA1
dba30620afe5ed5606fdb94b2225a4c876928ab5

SHA256
302371af5a64011760319650c66f237b75bc3a15ce8378d21dc5ba3d5d0cdfb1

SHA512
9c58a1128f0bf2202716d36fe8f49d0d898aeca9e5743f0bd513961b62ffad277b65354a46f7d2defaf104e6eb4b3386fe656aaa4b93484f0644cfedec383290

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
701B

MD5
37cf8f08b3bb9eb910f515d77ff2e651

SHA1
8fe5caed14ecde7834512e2d3841221094be0f18

SHA256
43bbe2b69411f207f927d896922f30fb2e0c81cc7cf31f396e03f8f77ff47ef3

SHA512
7ad6ae712ba62cb6f2cbfa7b3272e9b5c9654ee49cc523ea22f22efdfa2572efea583a3cc75f7668ea6a270b82ccdb9e4c9ad9961d20d04e0958e636677a2818

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f6028f21385010478e56f40408b59417

SHA1
d14b8d32c3c50e50bda3847095e7f261363abde3

SHA256
08f74472fea01a7de9288256cc6b8ec6a20953c331ee1c372d6a5356e0bc7cce

SHA512
32a1107e62f653737795a5a60a5746dc9f35ff5ea651ac96f0ee2ad880f5cbd08e232fc20abca113ffd7133afe2f1eb52020d23d1f0610cb3d592c392f994728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
845666e6c2242a0e6c2aa5f5f4714b38

SHA1
06d445cc45ad37b6562c34c3d7fb1e1d289bc99c

SHA256
92fd603d650aef07e9a342475a7ff759ecfd610ed511e137d44ce393fb598e2f

SHA512
c1f004f7f044df9106d780d9a1a778ff54a6f35d0f32984d4b1c0bbe534aff587b5feb0d1c2bf84810ac0d0770812f291631163153dd7564e7e6bf7b4401825c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
554e3d430b004d6b2ba25af4be28d8c1

SHA1
538b00068cef294327a670eded440b5e6a3542db

SHA256
45e9a2ad54b84d3188d6b77331c0ef55f9dfd1ec89b7576e24bfc43822ea24ac

SHA512
b4e16b132971404e115c2720e8328e3dc7340f4ec6f7cc2e9f9117e37e7e18d1bacc7466fbd4b58342bba03005c44512377cae63d8a228f7faceca4fa25d4d7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
45efb8446602ef600331d68720540de5

SHA1
f7084428de0653f0b86d933b4d02c9d1f1a08343

SHA256
177429b4735e88c03ee29c1c0a77b12ef71b2183feae2ad96cda4c11e84edacb

SHA512
9a32c93d3ae731102c1c3ceb8a3e06f129731436c2a3b02e0ab9f8871f1720772786f01acbc0b445fb782f93eeb278c1a391a663948168193f12efc8b788357a

Download Submit