a2ada0acb2fe50fc04df8723605dba97813a902164fd650494ee5715b2357ae6

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-04-2023 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inv copy.html
Size

6KB
MD5

f7bb4efeff2a53a6af35f8bf0b1247e1
SHA1

8738287501a715b5fd2c86869894c089d8f0a450
SHA256

a2ada0acb2fe50fc04df8723605dba97813a902164fd650494ee5715b2357ae6
SHA512

09969f665682ee70ee6798c4890fd8e1c6d21aeddc4e653d24e52bf77fb001d1b7c5f7d9dd92d9928913d0423a49b801bf25b6db4be9215af3103eb4ee67c577
SSDEEP

192:taIKU3xq3xyDxNCLP6vJQBxg7+tV/1KUDKuKSZ:EKxN4P6vJw

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133258434536528662"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4484	chrome.exe
4484	chrome.exe
2740	chrome.exe
2740	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4484	chrome.exe
4484	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 4960	4484	chrome.exe	85
PID 4484 wrote to memory of 4960	4484	chrome.exe	85
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 1760	4484	chrome.exe	86
PID 4484 wrote to memory of 2916	4484	chrome.exe	87
PID 4484 wrote to memory of 2916	4484	chrome.exe	87
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88
PID 4484 wrote to memory of 212	4484	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" "C:\Users\Admin\AppData\Local\Temp\Inv copy.html"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac9d09758,0x7ffac9d09768,0x7ffac9d09778
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1788,i,8827941379401337874,7741867586712608730,131072 /prefetch:2
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1788,i,8827941379401337874,7741867586712608730,131072 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1788,i,8827941379401337874,7741867586712608730,131072 /prefetch:8
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3216 --field-trial-handle=1788,i,8827941379401337874,7741867586712608730,131072 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3232 --field-trial-handle=1788,i,8827941379401337874,7741867586712608730,131072 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1788,i,8827941379401337874,7741867586712608730,131072 /prefetch:8
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1788,i,8827941379401337874,7741867586712608730,131072 /prefetch:8
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1788,i,8827941379401337874,7741867586712608730,131072 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4484 --field-trial-handle=1788,i,8827941379401337874,7741867586712608730,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2740

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
92e3f979e66464e253c38642a40cf5fb

SHA1
98e4b9713d6ec1b0523b794a6a51b9447eb171e9

SHA256
a74def937659b54a8477ec8de120e6361e9643e5dcf11de6dedf461ce2c91640

SHA512
06fc2ea0d0ab9efea7df575dcf3141ebd71993a76188db59d457e8f0046613b0e2bf24f13f21e676904d919596372a660be8208026e46f2fa961fdfdc6a18c3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
bc4698d1c1c1f569f94b34299c2785ec

SHA1
183257564bf551aff5571064dadd2891bd215071

SHA256
5283b3a22821ab5a90a6369e0e9faf665c9c0e94c2eada1bc46d5d5755f5d408

SHA512
7357d44b992b7aa27e7bb4641e227d09adfd4a56790a9373fafe15cf0ff9fd4204b8c956e15ab7314c80a470ae7da7360b5bba8ab7e59653e34048b15aa22c80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
abe62662c0cb5f3e2e289d88fee16c91

SHA1
178d888e763914c7f6fb152bc1ef84f03800b187

SHA256
3dee9e9f768ede51f9cb55214353380db5aeb4aed52bf3dba6c62fb73dd357a6

SHA512
688758ce6f54d4f47a85ca58d07d27c73c5cd1491b1c266f4e4ec6f3034a0bfe7bd0a67dd83be1e4dd0f18311e716b4641b50b934588519fee66e98feb98c780

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1fdf1a1964f44054378d6efa0c4ad078

SHA1
3820d4021b2fcc909aaee81590fa910e0a310caf

SHA256
154001f924fc492473e4d2adecb95c5a19fb09311ba0d8317d753ce250650118

SHA512
439074cc72ceb6256bd13dd98525615c5d80d385ac2f8f282e13d97bd5e42f801fa25c3b9b58c998136b36e2f90bbcfda90ac0f238f2bee1ea3048a4653bdb3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
19fc006f1ee8d18ac07b845d895cd339

SHA1
913a5d3b1e3a528a22df702e7dfe2d843a0941bc

SHA256
b41232ddced242d22dc0e575922afa2cd10baaf8688371802885a6a702ab0997

SHA512
f063e7aebcc4dba376a2844da2b7cf7f1cdf3363b8e03dd6659dbb488eaace5e9e369dbbf593972e0b934efee3e2a9f1c312673016ad5fccea1921b2b224fb0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
e0ec1007e67fcb2167b46f5e59444f59

SHA1
b3ae4ddf3b37073e26833cc5583a3bc8a23cde8b

SHA256
c63a5fc77ed8034b292d3eb51c3206d54467f079673ddb4537812307b595532e

SHA512
944e1f3ec4d01860ec8291d633d976297bdb3a34f63524de8749c0f1a2b088a8cd663b7d9c4d7f0a36e63443ede7293e0771adfc2ad06cae2488cb6d2dbc666b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit