hxxps://aplikacja[.]ceidg[.]gov[.]pl/ceidg/ceidg[.]public[.]ui/HistoryViewerPage[.]aspx?aid=728642c6-58e3-43ba-8948-5cfb2ab00b44&source=versionChange&history=true

Resubmissions

19/04/2023, 08:07

230419-j1dj3aba9v 1

08/04/2023, 23:11

230408-26qexshf3z 1

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 08:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://aplikacja.ceidg.gov.pl/ceidg/ceidg.public.ui/HistoryViewerPage.aspx?aid=728642c6-58e3-43ba-8948-5cfb2ab00b44&source=versionChange&history=true

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133263652897483628"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4132	chrome.exe
4132	chrome.exe
1460	chrome.exe
1460	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4132	chrome.exe
4132	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe
Token: SeShutdownPrivilege	4132	chrome.exe
Token: SeCreatePagefilePrivilege	4132	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe
4132	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 1300	4132	chrome.exe	86
PID 4132 wrote to memory of 1300	4132	chrome.exe	86
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 240	4132	chrome.exe	87
PID 4132 wrote to memory of 212	4132	chrome.exe	88
PID 4132 wrote to memory of 212	4132	chrome.exe	88
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89
PID 4132 wrote to memory of 4420	4132	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://aplikacja.ceidg.gov.pl/ceidg/ceidg.public.ui/HistoryViewerPage.aspx?aid=728642c6-58e3-43ba-8948-5cfb2ab00b44&source=versionChange&history=true
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe48c9758,0x7fffe48c9768,0x7fffe48c9778
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1808,i,14805698429301687395,6516778274323883281,131072 /prefetch:2
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1808,i,14805698429301687395,6516778274323883281,131072 /prefetch:8
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1808,i,14805698429301687395,6516778274323883281,131072 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3232 --field-trial-handle=1808,i,14805698429301687395,6516778274323883281,131072 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1808,i,14805698429301687395,6516778274323883281,131072 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1808,i,14805698429301687395,6516778274323883281,131072 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1808,i,14805698429301687395,6516778274323883281,131072 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4496 --field-trial-handle=1808,i,14805698429301687395,6516778274323883281,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1460

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
1515bd8c78f7721f929a6f16dde02401

SHA1
992675aa5bbfb41685d876d7d241af175c6496b2

SHA256
436bf2174003c21d9b7055c33b42eb6942f93c1a9ca8dcb9857217d83dbe76c1

SHA512
44330fcd1b783645142069dee4c259edcf95163245e6a5bf99d197c5446245bfe61e22659e1e5df28595539fdffd3c7b45e0b63c9e32e4e7b1805347c5960ff8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e0e21768e967e8b6f16ca1d2b89a1d46

SHA1
98e1e59fee17d73ea402b33f2009039af5f92447

SHA256
1298a615cae190826ef85b24c45df5749c840f7ee26ddf6d0157254836a63c74

SHA512
7ad61381edc50d0a80e391e1ca93c3fd088126d66d256e98cf96da5f35438f90c612a7fed26cec4b933c728cb2de69cb163e61e38e3e9b7dea31e3ae28425eda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0c5454fefcc4190d96af14c53d2fcc3c

SHA1
9b1994fae99709f6505bdb89a03b2bf7fe2e8d41

SHA256
d51a3a37f4bfcdcea82f3d1912b9559434b1eb2501e691ccadc608cea6312427

SHA512
452800afc292cedd5683b2eb8ce77393711c8d2e9e51017e9745760d672eb75702ea0be3d055413b718cc1b39108e76b7321d29a9c871b082cefef786ca19515

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\acddf753-e5c2-48a4-b657-8ebaa52c7fa2.tmp

Filesize
1KB

MD5
bff88f9d3df2a00b679bf11aceeb03a8

SHA1
324ba1bc545c47c7fefb76d6a6b552ab4bbcefd9

SHA256
b10988b1c9562c206b64fd0869e68e76efdf58c22c23fb862ff6f1600a4c89e6

SHA512
e7a62a0957d2bbae975abe386b6b6198dbe107090fb37f849e5d928d89f3a264c0cf4de143a95b031f6e0ad11e38a1d262db392a6b351a122f39b9d1dc677bde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4bbc10e42d5d369c69b50f57ad14b27d

SHA1
0d1577a9e49eb041f5a32bcf91d3c91c5e51e12c

SHA256
ea514e119f0262ef8c96b490081f5673891ce3907eee636d8883435195724b68

SHA512
57bd5d154daac249587617eae1223ad0e9a25ed23583cfc16ff9735f08729b6d60dae856f7a277b77b68955a7614ce6fe4922d45fb48138ef83d5c0ae2c72e05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
84ddbdb826840ac60ca82d7337254f12

SHA1
7b4890486327f151af700a788f431df56781a2bb

SHA256
f3e726830721079dbb854e0a34a55e7bcdea76f38ea8a806ddef7903dacf9b7b

SHA512
fd8b32f918aa12555265fa9eeff622bd8f81122088712363800206b0118c1fc37fe48c1c41245e3ec1cd8ba7921802804a0e80eed2ea2b78a50f438bd6b8a9dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f75615ee1f5aefa1e00901c9614faac2

SHA1
7df0f3e464801bf1182164df206f10b55a818eb7

SHA256
a01fd5a706417b79fd296d912f3266c7cba2b84dfab5e29e2d0f2a9e9a042b45

SHA512
67b1818b15eeea9ff2fc4660a94279e2723eeece811730de51c41150e1ae6947fd602614935d4bb918cab53b764d01686c29344b5c0bde9fb03f347eae5e7fe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
7a95a02159b427f0e63129ee4739439f

SHA1
81712dadb3aeb62c957fecdf4975ffc125ee2594

SHA256
d82b47049b900768a5d1152e6a6dd5d884b8fe1d4e331ac2e35d731880ee7895

SHA512
a4d3703e6e4cec388627c63c164c6047053c90384e26518c13e9a88bbcb345c8437f03eea19adc0edcd304505fe38102fa03fb0afae6c117c5c456e8329a85a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit