832654398d6aaecf7213b9b15c7c527054dd8d2a4ff14d368a657a5a1c53b2c3

Analysis

max time kernel
63s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2023 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gui/Auth.html
Size

6KB
MD5

589e2f016cd825eee95246c61c7595d6
SHA1

90c48c347a27a5e5f141c80d11dd05b0645c3344
SHA256

65513e92ac4845fbc1697359fcc68c863d049366d866cc6318be3193671b35f9
SHA512

ae383c87c21ff1638c3f935c3a4c2377ad6448aea17d0d9b331de48af24e3cc2550727028e9d3b134dbdde45ae65a0ebbde584b2e04410b0872863da4f42400e
SSDEEP

192:mOsPUAU1FitC3Rz6yxX/zK5qEPUnUtGie:RsPtU7iucgX/zK5qku

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133267718029362304"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1180 chrome.exe
1180 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1180 chrome.exe
1180 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1180 wrote to memory of 1364	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 1364	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2480	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 4420	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 4420	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe
PID 1180 wrote to memory of 2092	1180	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\gui\Auth.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb89759758,0x7ffb89759768,0x7ffb89759778
2⤵
PID:1364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1796,i,7589089502924703192,13699753779716045461,131072 /prefetch:2
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1796,i,7589089502924703192,13699753779716045461,131072 /prefetch:8
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 --field-trial-handle=1796,i,7589089502924703192,13699753779716045461,131072 /prefetch:8
2⤵
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3164 --field-trial-handle=1796,i,7589089502924703192,13699753779716045461,131072 /prefetch:1
2⤵
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=1796,i,7589089502924703192,13699753779716045461,131072 /prefetch:1
2⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=1796,i,7589089502924703192,13699753779716045461,131072 /prefetch:8
2⤵
PID:4160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1796,i,7589089502924703192,13699753779716045461,131072 /prefetch:8
2⤵
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1796,i,7589089502924703192,13699753779716045461,131072 /prefetch:8
2⤵
PID:2792

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
5d081473c2ebb6fd74fa060aab250bd4

SHA1
562fbc75809581ac381eae10d725a2000dfa4fde

SHA256
f37e140f762856a6457b4d393241e05476bca9c83c79814c6d705e7740a773ed

SHA512
deb5c90a98deb158b51276d190dc808b945dfb9d31acf4d88941867cff99ee05efd5ae977787394cc595f5c479f68579672a5196ee302c872c58baded659d158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a5d4e17d0647192a44890a3d9520c9ce

SHA1
81eee0b2988845672716171b374fefc49482077e

SHA256
21d15e2ae4ce72a5a06fbabb8f29473e286dd3165b1d733e34151b5078dc6b6f

SHA512
5924cfd8317bdd6500ed0c7b7682e3e179524b14750ac18747922485e99baff1ccaf8104ffa4b8365055156bcb316f8e1ee579706db33dc6d788048e1f8f2877

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5755ab7d60bb27ff87e65033a17f6cda

SHA1
dcc77a5bbba4c34fd5cc0a5e2228ee47f10e2405

SHA256
151fe4d68dbfe1bccf518ee10fec6bbf759561d75b2f57c08204f94c2b454550

SHA512
f92d4e5782290b2a374b1fd027ee51c8d655f8c0c6211d2623975e2e5da142333493ae1f57fb10352214ecec3d98ab29efaac03fd802f7b5a1633fd120b29a0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
31b68f711e42b05c277d2bb3ee622279

SHA1
1dd54729bf31e06dc1b0a6f97ec6d64ccc375fa3

SHA256
f74e3dbcf74da871944e2e4ef4d910bb09d532d7881512fb433ece308bcd44e7

SHA512
2f31273427a97ba4edc8a9e958f70b0abb41b99371baef7e860e69c46833b4bcfdc557eaeeb781c28fa883ae452da1b8953a47a59f6831484ec3c22d5b3a0506

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
200KB

MD5
a1ce59f46ed3851948d9386c5d28bf96

SHA1
e8b4a590bef0860f26d6ef66285db08d6bc37e9b

SHA256
ca2f7d5f99255c61a9e9f364fee860567954ea21efe063822b37506dcc0bdaec

SHA512
977263f2e86ebc252e0ba1590e5025427c112b01df9b8c8dd3fe288b2ab7de38e9e8edeb512ac4e722f3bad2cf55bf238bd1dc3186b655e48d3490e39f929019

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit