hxxps://notificalo[.]com/notify/services/na?i=1500000005492012674&u=hxxps://www[.]notificalo[.]com

Analysis

max time kernel
26s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://notificalo.com/notify/services/na?i=1500000005492012674&u=https://www.notificalo.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133264777130947700"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3268	chrome.exe
3268	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3268	chrome.exe
3268	chrome.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe
Token: SeShutdownPrivilege	3268	chrome.exe
Token: SeCreatePagefilePrivilege	3268	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe
3268	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 4924	3268	chrome.exe	89
PID 3268 wrote to memory of 4924	3268	chrome.exe	89
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 3812	3268	chrome.exe	90
PID 3268 wrote to memory of 2036	3268	chrome.exe	91
PID 3268 wrote to memory of 2036	3268	chrome.exe	91
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92
PID 3268 wrote to memory of 2796	3268	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://notificalo.com/notify/services/na?i=1500000005492012674&u=https://www.notificalo.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec3929758,0x7ffec3929768,0x7ffec3929778
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1812,i,1748623869249501172,3233008272002515993,131072 /prefetch:2
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,1748623869249501172,3233008272002515993,131072 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1812,i,1748623869249501172,3233008272002515993,131072 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3180 --field-trial-handle=1812,i,1748623869249501172,3233008272002515993,131072 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3196 --field-trial-handle=1812,i,1748623869249501172,3233008272002515993,131072 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1812,i,1748623869249501172,3233008272002515993,131072 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1812,i,1748623869249501172,3233008272002515993,131072 /prefetch:8
  2⤵
  PID:4680

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
63392892f1c60e7d5a479d19f4bdce35

SHA1
ad2acc8ead566349be8076ac40adaff4e6597bf8

SHA256
c73904f514ab7e9d3955d589a07f4ac6173b09db59683aba5594cd2fa357ccea

SHA512
ee069eacd2c5dfcd484316d9318a572f42f296fe11f00c830df60f433ead764f84e336168c24e65156b70601828ee510f4361ef1ca86bd019bacfb4179610c10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f2f7da88473a159de95d14ada4dff30e

SHA1
3b8485a4d01c9271d79c239c2c95e99a55a8acb0

SHA256
fc2d2ef3b7520248c1ca6969217ab47cffa700e4fb94310320f8ef5e1da4827c

SHA512
b92bcbe52031c9a372f896c16a57db66e2383ff2875ab73e5796c10206ed6ed5ac3bedafbf8db1732216bf561bf6a1c5b489ba488d78ce9e03a952f503d514c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
d279da123dde249630a039773d88c61e

SHA1
1436289effc261c4638f66cd13028024464290e9

SHA256
487646e87173640b6690942f838e1bddded7c6565b9be3ec5128255d7fbf6aec

SHA512
2edb502d2516d3bbef95d20967dc2f2b5cd2df90fd6e0414b824570325b5d3604c6d08af32c9c6bf4c85885d02861876567b747670f14dc878063c94552f96e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit