hxxps://bit[.]ly/3o6K2sy

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2023, 03:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://bit.ly/3o6K2sy

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133267015763053777"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4524	chrome.exe
4524	chrome.exe
3856	chrome.exe
3856	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe
Token: SeShutdownPrivilege	4524	chrome.exe
Token: SeCreatePagefilePrivilege	4524	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe
4524	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 2256	4524	chrome.exe	85
PID 4524 wrote to memory of 2256	4524	chrome.exe	85
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4796	4524	chrome.exe	86
PID 4524 wrote to memory of 4340	4524	chrome.exe	87
PID 4524 wrote to memory of 4340	4524	chrome.exe	87
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88
PID 4524 wrote to memory of 4124	4524	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://bit.ly/3o6K2sy
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa03a49758,0x7ffa03a49768,0x7ffa03a49778
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1816,i,11476282672725749343,16621906146526384051,131072 /prefetch:2
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,11476282672725749343,16621906146526384051,131072 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1816,i,11476282672725749343,16621906146526384051,131072 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=1816,i,11476282672725749343,16621906146526384051,131072 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1816,i,11476282672725749343,16621906146526384051,131072 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4856 --field-trial-handle=1816,i,11476282672725749343,16621906146526384051,131072 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4992 --field-trial-handle=1816,i,11476282672725749343,16621906146526384051,131072 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1816,i,11476282672725749343,16621906146526384051,131072 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1816,i,11476282672725749343,16621906146526384051,131072 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2864 --field-trial-handle=1816,i,11476282672725749343,16621906146526384051,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
817975031d3122cba686821419c90492

SHA1
beb30fc0bba8a200e44124ec765fdb8d997e37de

SHA256
0e20710c6432781419ab0be66c97ec6b1a89a9e666a5799cfb8c2fe42bb922f3

SHA512
990a2a20a782b10aa3f580c70a7c50f56644a60b676be1f7ec9a7c9c04e8919c62a57931ace8f01016e9098578df79a65d9da327a288d0a2cc718d5de7709688

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
74b39d1b907b2fa992feea816761227e

SHA1
41af4758019d48f0f6fe7df5b0cb1568327166a8

SHA256
d9be0c3c72b5e52a084c3559bb694b186bd3e7e556f91fb2af954b80ba663572

SHA512
9de449fe384d55d33dab130268478bdddfca3924ba1e66fbde9cb6c2a65106c8cf23352ea53f899375e766ba5a481862553bae1db44d8268944c481379923330

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c007cdd9d10f19f6ebf3e2db5a9e92e9

SHA1
4e5d497af0213cec1e765ba61e79e989055ae975

SHA256
01a62fa44e5f88b619fe79b1e6342a017d6bcf8dffbbca87bd0234c2fb2709fa

SHA512
cf23164ce4c5cd8fcf2deaed3165bfdfcef5ce3db2955f2652bcaf6e9c1d2bf733056814a3f8391c8d49a97281f4ced39d5935a0ecf56d07029e13c8a66c6bca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6bc0120d26e01f6ed8ad71093c9ed43e

SHA1
9ee1a0a3808f79ba697ca487a0c5eb23ccbbf512

SHA256
e202b94808916b49d5f0382b4b3c6dd0f6145ee086c110885dfff654ee048412

SHA512
d98e432d671d8313b8e06c29856b707d734448be0c7e7c7c409f5e2314320c741bae9a164786b42a90fd2ab2cb17b70edb3850b9a7363f3ee1901465b265ffa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
fadf8743354ba037569e754fa607f506

SHA1
58b6c86b0b25e0ee4ebc91236d7189e3ec17d293

SHA256
d96fa1c7da6483289378ff7e3acdf7385356eaa2fa5bf827817010715f74b1cb

SHA512
8b653d2f3e705dc109620ace02b486967657f83e4696431ca89cd9d1cc760df007497ec9af766d12fd7e5de3efaf7783d763976bd2c8db61d03353395fecb30d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit