hxxps://s[.]viiulple[.]com

Analysis

max time kernel
1799s
max time network
1692s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
21/04/2023, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://s.viiulple.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133265862791375665"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
3304	chrome.exe
3304	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5060	chrome.exe
5060	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 4108	5060	chrome.exe	82
PID 5060 wrote to memory of 4108	5060	chrome.exe	82
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 628	5060	chrome.exe	83
PID 5060 wrote to memory of 1836	5060	chrome.exe	84
PID 5060 wrote to memory of 1836	5060	chrome.exe	84
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85
PID 5060 wrote to memory of 2772	5060	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://s.viiulple.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb9e9b9758,0x7ffb9e9b9768,0x7ffb9e9b9778
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1832,i,3749208342172642293,15182599950698202054,131072 /prefetch:2
  2⤵
  PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1644 --field-trial-handle=1832,i,3749208342172642293,15182599950698202054,131072 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1832,i,3749208342172642293,15182599950698202054,131072 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3228 --field-trial-handle=1832,i,3749208342172642293,15182599950698202054,131072 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3220 --field-trial-handle=1832,i,3749208342172642293,15182599950698202054,131072 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1832,i,3749208342172642293,15182599950698202054,131072 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1832,i,3749208342172642293,15182599950698202054,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1832,i,3749208342172642293,15182599950698202054,131072 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 --field-trial-handle=1832,i,3749208342172642293,15182599950698202054,131072 /prefetch:8
  2⤵
  PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1832,i,3749208342172642293,15182599950698202054,131072 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5112 --field-trial-handle=1832,i,3749208342172642293,15182599950698202054,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3304

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:216

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1784
- C:\Windows\system32\TRACERT.EXE
  tracert https://s.viiulple.com/
  2⤵
  PID:3556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
954B

MD5
ea930eb45346ffc122ea6441878f3877

SHA1
ea7d89e2dfd09b81cf4b2dd730aa910371c5448e

SHA256
3b09f8ffefca35d2bc50537af79af55c83e3bf5f799913b1658fc0997593b3a3

SHA512
a59db8f7176ed521739fece84cefb480702b23890dfe809d4c2e311800bf4500d15143025d20b7b39755b553906f521836afb33b0565cf0615826fefebe2d663

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
27fa0a2dbd4e6e6504567122113b1410

SHA1
7fbd06c9b546037a2f903db3d1cfbc940478b996

SHA256
e04d77881a17512f1f1f8d5ca4a8241bdbe838149cb4bb86014be02911b135de

SHA512
0580eb986b472e55c1937bc037fb354d6e280a7ef57986d0373ea23867e78074825d97bf484728de8253254f40f39526e4701f76bc6866a2ec080f88a7eda762

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e4a887ec4a1d7c17fe9d32fa2f47dd34

SHA1
b751d95867fc043acb37a9ef784a89b233c59e64

SHA256
32610a2843bc9acee5111d50ca39291d9257c4ebecaa0611ea3b1b02922d8219

SHA512
1239c97f3e81cf47715e43bbf90ab75b9c595a68131d20287eba5443743df0769ef0c7d46b938d9af893ce2a741db3dfc5d6fef3d7b1b1bf739a671e867ee225

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
202KB

MD5
a0992cae2c022ee80e07c3fbaea5525f

SHA1
785fd9d496425082f803345ca2db390a539f93f0

SHA256
9cc6016366c53112e44ef240822bb3518bd67f05100c644cb29cf674b55c3aaf

SHA512
65a3fef4805bf6bacaa3a9d673f3fb2d2cf0317fbc3214def5bbb45bbbdb40a622271809a42cdb57950e12bd95f6b190adeb7a9a20a60e9608d703a8e7372179

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
5c4ec9dda8dc299eb053958fd94d069f

SHA1
27b3ebb649b25d9ab3c49dca70694233733757b3

SHA256
55c2ea81c03cdfcb79395fa61221d6bbae6edbca7f309490f23484d23e25787f

SHA512
475d603444bb0c65d5cced90b0ed4bab235f4ff6928dca7ff531634071a519de95cfca508b4d68e8f71cda6654dfb4b8fc1117436c474d94c7f3e8daafaec5ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
3299c0e5a72f1cd311a5a17638541ed9

SHA1
d4bc2c4d4f1f2fe0d1f727e178f5c16a6578286e

SHA256
1f47f9ac6b5d4140c00c6c8ad1855e2c4749591e1ab39354dfd2f8648e85c64f

SHA512
53ffc423fa7b73b348adfaf093e1cc606b885fb848404db929d27a69208bd2b087a0c39e113de19cc7f37f5e896d59fc079d21cf1c23cb017e6aaae341173283

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
202KB

MD5
b824b94e8cd156d5d01002f21442dad2

SHA1
3766a7cc423c6b75ca803e79dbc98c364a4a750c

SHA256
69e929e6579a1b2d755ab87f1c19059302a12f5721c6977efb5c5d2e1fedda30

SHA512
cae1b8858d58e91c40c9b935cdbb42e76554326eba23b58025fa32197c83ea566d2c31943d6ab03306ad044d06f386dde20571585bcf7a4ab0898b6a82da7b53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit