hxxp://zlgi78a2bt6445438b47487[.]newfiles[.]ru

Analysis

max time kernel
600s
max time network
502s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2023, 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://zlgi78a2bt6445438b47487.newfiles.ru

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133269262766164553"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
396	chrome.exe
396	chrome.exe
3216	chrome.exe
3216	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
396	chrome.exe
396	chrome.exe
396	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe
Token: SeShutdownPrivilege	396	chrome.exe
Token: SeCreatePagefilePrivilege	396	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 3420	396	chrome.exe	84
PID 396 wrote to memory of 3420	396	chrome.exe	84
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 1912	396	chrome.exe	85
PID 396 wrote to memory of 4116	396	chrome.exe	86
PID 396 wrote to memory of 4116	396	chrome.exe	86
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87
PID 396 wrote to memory of 4440	396	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://zlgi78a2bt6445438b47487.newfiles.ru
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe67c9758,0x7fffe67c9768,0x7fffe67c9778
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1812,i,7785197042201636024,18348676853115303031,131072 /prefetch:2
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,7785197042201636024,18348676853115303031,131072 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1812,i,7785197042201636024,18348676853115303031,131072 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=1812,i,7785197042201636024,18348676853115303031,131072 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1812,i,7785197042201636024,18348676853115303031,131072 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4684 --field-trial-handle=1812,i,7785197042201636024,18348676853115303031,131072 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5356 --field-trial-handle=1812,i,7785197042201636024,18348676853115303031,131072 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 --field-trial-handle=1812,i,7785197042201636024,18348676853115303031,131072 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 --field-trial-handle=1812,i,7785197042201636024,18348676853115303031,131072 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4508 --field-trial-handle=1812,i,7785197042201636024,18348676853115303031,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3216

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
d2b17187ae6d57e9271fd497da0fca3c

SHA1
84ad82d757835b11f90d7cf082a1ad33b8ed57de

SHA256
e3d66954f17c330cff526ab4502bbd6b3be486de98f3832d5f6b668052ca9e25

SHA512
e2512de1d3e94207d8ae0a1d3138e2c2f9e17c55cb898cb72131b16ea7c2018130774534f1481cf82611f4c7d3cf06f2ba0d0810c63db9afb29bdd531b37e449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fdd49f77f59f7b0848f07cc9dd515148

SHA1
ddf7631e3101cc9aadb78a6c1dcef1806160d6e5

SHA256
749b2f9ff4bf8904fe5ad394e923fd8e65dbde06ebf885ffd648797c11e78114

SHA512
56a9ba77b6b737aaec3f53b747f1d8ee9fecdbda8701113dcca42ab82ee98cc44cb8dcd16734e81ebd17542a0a365ad3c213e6fa649b201dc40046a42c947920

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2aa89fddc0d3b063d9718de956da92f4

SHA1
6b0d08fd4bf07c352b4b611a1da6fc963ce10c6d

SHA256
7b071ab9f9e222c9bb06db6a8870c96fa197107582bf3f64ccb8a3ebf2463d18

SHA512
74e895bc7aa7331eb70eaca733907854168095c659bcd4485a9d4bf4e8a28f096b62a2e32d6db4855d7b3aae2fc8a73d2e7acf76a0082c07e0a45e391a4ed369

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
011049ca63f2d75e14b11509afbeeb5a

SHA1
dbce0ad1ed861264c93a913250bcea191daf59cb

SHA256
7c2b549d3915da824b302c8d3ff9eaabd0474701e561853e9b5e347f2528963b

SHA512
2f3bf8c8605c6965ab8be9a055a07bf4114b970d5a49a793ad191b4fb3fba7fda31d61d4692882252520926e059e2aeadfe6fa45ded91e2608e22db8ef0f543f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
22225d50e8a023afdf12340f6a5f34bb

SHA1
2c1dcbb145cf5f29347929674453a537561ef831

SHA256
e20fb298718a298fd2f953391975b9388a621f7750155290cf432698bbe81d18

SHA512
360c633326d7a0678f5bd7e82f2af306b9406fd9d6ce6a33868ae33c40e6d03b7ae45155a8c89f609d4ce8e1d6ea38d70856f0acf63157bf4d9a0f2eeb3d1cc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
f3bca51bdfc748b806c05fbd54855655

SHA1
4faef1c5b1e4b91e3eab10fa1193e20f397604c5

SHA256
8b923eeec4e3e5a008a2e36b4cdd5cbcbd133c75a93ce06103585987b2deb386

SHA512
53c33342bf2b820d7127f94e057f57d1679dccd9a8bdbe63a457aefdf1ede6d711cd86c9391f3f6e40b355fd10d743d6b5b68f6556ac69912f5b3a477decda8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit