832654398d6aaecf7213b9b15c7c527054dd8d2a4ff14d368a657a5a1c53b2c3

Analysis

max time kernel
63s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2023 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gui/Builder.html
Size

23KB
MD5

179d80f9cfcdafce7f35371eba7b7130
SHA1

9ac5d15e8f7906227ee7e5334ad7c1f4068155fe
SHA256

6f5a2059d85bb87e672f62c2c435ded3eb6f1b02e91807b70eff00abab141628
SHA512

6b5f3d1fdd1dee969ee3825cd70bd525876bb1da1fcb85cf456e18f3241a7a3769c1b50253b6e1c7d8be495f8b12443984eaf62a9e9751e2a3df3558f7950a67
SSDEEP

192:mCf0TMOMiHWRWZl3bCprc8zHWP89YD8KMn+JnOUnVwnB2nDUn3iKt5LwlcRQlIhI:F8n1HWRqX2NZFFFwF4FM0cCM

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133267718021628498"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2012 chrome.exe
2012 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

2012 chrome.exe
2012 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2012 wrote to memory of 2340	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 2340	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 4840	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 2632	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 2632	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe
PID 2012 wrote to memory of 212	2012	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\gui\Builder.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0x44,0x108,0x7ff9ca419758,0x7ff9ca419768,0x7ff9ca419778
2⤵
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1844,i,5900280776940852061,1972433195098911690,131072 /prefetch:2
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1844,i,5900280776940852061,1972433195098911690,131072 /prefetch:8
2⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1844,i,5900280776940852061,1972433195098911690,131072 /prefetch:8
2⤵
PID:212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1844,i,5900280776940852061,1972433195098911690,131072 /prefetch:1
2⤵
PID:976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=1844,i,5900280776940852061,1972433195098911690,131072 /prefetch:1
2⤵
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4804 --field-trial-handle=1844,i,5900280776940852061,1972433195098911690,131072 /prefetch:8
2⤵
PID:3660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1844,i,5900280776940852061,1972433195098911690,131072 /prefetch:8
2⤵
PID:3780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1844,i,5900280776940852061,1972433195098911690,131072 /prefetch:8
2⤵
PID:3116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
873B

MD5
176dcc05e409243dfebeeff023304a1f

SHA1
4e61a713cac6feada3975fc81911ed43de9eb95a

SHA256
fe48724dc873628a48ed69c06a46a349a1443080007524c09d052176baeea7ba

SHA512
a852ad0591e338747d05689f5ebd6e22796f244f20ffd922f90b8c41757bca70d33d42b152a56ca2dd2051aba37b5c8ca867f2e5675f01f2c201e0e85f07a283

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
47de842f1365ec369e3c024471aece6c

SHA1
54ef17a76cd28fc565de1d83d23d90574b4121ae

SHA256
60cf42f77601daf8e0cc05a481ead9ec942547a5baa02c6ba09d6f0ab8e3c873

SHA512
155fb4e3ca50d5d70f87f29166ae7ed725ed23a5d31ebdc312a62251ea5a63177b1be0f9276c318eb8a18576f83665bafb0f7d6d1c7bc37aa39e89860cdd10e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
2567b6c4fd2b3aaf734c18e50d04ed8a

SHA1
0c31604f7154fbd037d306843195f495b89c2147

SHA256
2604793e20dcab7fb3b97050f62598b830a6330cc913eeb20bb553fc4c303d43

SHA512
d87f73278a49f640d539cb83f62d9b4d6f25be678fb6cee5f152e38e9ddbfbdfc0252a50bd3ab39bb39c0f993491b41a89d61a263e9f69532ba1ad6fa899e344

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e33aadae-2ada-49cd-8cdd-4e2462aba6f1.tmp
Filesize
6KB

MD5
9ee325683b5e9affa72a6616f5a988c0

SHA1
8cd738c47f6c65de97c6d2d8d8cc7998798b5680

SHA256
d62997d1ba0a9940ff489a9a23d8ca2bcb380addd7679ceebcc83c08af9f6bf5

SHA512
8b8f6905975fadc6187760d467ff0f5107641113133d60dec8cae65d89793e67ce0a357e2e8bec64e00b8f644db8e8456c256e5191e149fef8441ef7a35c514f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
200KB

MD5
7a47dac9b715bc2963b3200a0c8b2927

SHA1
70792c58178ee8e20155aa0d9c39e93a620d7e7d

SHA256
89b121851e3e768d23b13ce4ae10f98b2c784c2e27b97a190d877f5c8d23b24c

SHA512
1a1f08dffd246169b49dbd7c067d39450bedcbb4e46a035dfc39a54ec94d8e6855a8f4ce5996813ccaba53a07bf3c32d408b894599240cbaa23d9250764273ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_2012_PZWQUQAFVZEQIOKE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit