hxxps://5aa87515-586f8224[.]hialeahmetalspinnin-org[.]com/

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2023, 19:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://5aa87515-586f8224.hialeahmetalspinnin-org.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133275374670716583"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3252	chrome.exe
3252	chrome.exe
2352	chrome.exe
2352	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe
Token: SeShutdownPrivilege	3252	chrome.exe
Token: SeCreatePagefilePrivilege	3252	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe
3252	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 3124	3252	chrome.exe	84
PID 3252 wrote to memory of 3124	3252	chrome.exe	84
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 3864	3252	chrome.exe	85
PID 3252 wrote to memory of 4316	3252	chrome.exe	86
PID 3252 wrote to memory of 4316	3252	chrome.exe	86
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87
PID 3252 wrote to memory of 4552	3252	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://5aa87515-586f8224.hialeahmetalspinnin-org.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa851b9758,0x7ffa851b9768,0x7ffa851b9778
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1888,i,3325663000171208528,8402154997725515011,131072 /prefetch:2
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1888,i,3325663000171208528,8402154997725515011,131072 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1888,i,3325663000171208528,8402154997725515011,131072 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3156 --field-trial-handle=1888,i,3325663000171208528,8402154997725515011,131072 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1888,i,3325663000171208528,8402154997725515011,131072 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4708 --field-trial-handle=1888,i,3325663000171208528,8402154997725515011,131072 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1888,i,3325663000171208528,8402154997725515011,131072 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 --field-trial-handle=1888,i,3325663000171208528,8402154997725515011,131072 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2816 --field-trial-handle=1888,i,3325663000171208528,8402154997725515011,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2352

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
731B

MD5
b44f07375d0887d0bc3d585f10083358

SHA1
b77fe06fd668017b7b9b30d3f18c2ff26af93ff6

SHA256
aafc78b839f925ff3115b4260313f120da9019952dd688781ce9c94e89ec6464

SHA512
3b7bfd39cb1c3eb480e4657e27e885d52ce03fd497b525a00b1290d9f0205a07aa760019f75c6a0cea2fedb54036226b4a97c3e4f6bea4ec1b0ae55fda18027f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
b868675afdc1dd78dba27f15dbde475e

SHA1
63f2de51bd8d6786a0617f632d807df5238e9c70

SHA256
129169951079324e7d1c5265069edaa01061cec2b8b7a3037f2cdae5a9e2d895

SHA512
be1d3f0fd4b50b188dceff013dcf61dcdd2c0bf24235cc4ceaa86a54afc45db2a185b8abe103d7c1ca9beec45aa005c6dcae20315729967b0175888960bc6068

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
9333c927797b2b853dc55365aad79f10

SHA1
cb8f7aa4cd1600cb3b410ab841376c9e4d0347db

SHA256
38211509137680a79e27fbe4854cbc7c1ebf596d5eae3a53af8db10e0ac0ee27

SHA512
c97e18f1c1ea5d11c5ed04cf75167819ea84eb23c19d911bd929511a7640144c21496136f3f7c3176bab1a54680cd21a48af9dac135e8440d3ad9bf457088b3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
2259e7e773e1deb47e7a2024187755fa

SHA1
e57484554c3401376d42de3ef83445a27bc9bd98

SHA256
9f6b763dda05d0549d7770ea5c4c6be0c7dd41102bb5f5cd4595a2a3f5a44696

SHA512
35bab986f39f88da48eeb4b20364376215999f4073cd594b4228e88bba150e7a3e67c6af4da3bcd4d804612cc8341f62479ecad4809332fd4af3bc9f4e7931ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c4eee15414119feed048cb9dafe3c8a1

SHA1
076811db4b099aef73de07e3aefa5ea8bdb18680

SHA256
e47b1d85872a389de8c6328921647ca36d78fe9eeed3efc4fa218a23b3e3d13c

SHA512
893bcfbc55a098fae1b2baacf735237532219a1c919431785abf48087916ef3895c60fdc4af62b4da051054a02c1301cfe432743f5f989612a2c158619406485

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
147KB

MD5
e6cfcb38c1e714821aa303d5d3693ffc

SHA1
e6300a5e8ee433ab4d73cfb55845be0d318825c3

SHA256
26548f38a494eebc3cc531565a180029dff2b5653e17a1edabad78fc43f0108b

SHA512
03b131b425ef1bff467faa8933dcd63117dd9da6f2e9848ba49ea008b315aa10768a6543b7a5be5e6e27505b09d237315ca0a90828058e30e8bf489e00bb1dcc

Download Submit