hxxp://sstreamm[.]download/ts/K2VmTVBJcUFnWXpwQ0NJMmU1Nm9Eay9vcmJOWGpBOXdPcS9VcDdhTmI4cmFsOW9BMHpuVXJ0NkxTQ2ZiYXZRYQ%253D%253D[.]html

Analysis

max time kernel
780s
max time network
731s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2023, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://sstreamm.download/ts/K2VmTVBJcUFnWXpwQ0NJMmU1Nm9Eay9vcmJOWGpBOXdPcS9VcDdhTmI4cmFsOW9BMHpuVXJ0NkxTQ2ZiYXZRYQ%253D%253D.html

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133275944681840352"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4892	chrome.exe
4892	chrome.exe
1012	chrome.exe
1012	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 936	4892	chrome.exe	84
PID 4892 wrote to memory of 936	4892	chrome.exe	84
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 2172	4892	chrome.exe	85
PID 4892 wrote to memory of 4556	4892	chrome.exe	86
PID 4892 wrote to memory of 4556	4892	chrome.exe	86
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87
PID 4892 wrote to memory of 324	4892	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://sstreamm.download/ts/K2VmTVBJcUFnWXpwQ0NJMmU1Nm9Eay9vcmJOWGpBOXdPcS9VcDdhTmI4cmFsOW9BMHpuVXJ0NkxTQ2ZiYXZRYQ%253D%253D.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff87f649758,0x7ff87f649768,0x7ff87f649778
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1804,i,12630071969592410459,8424561871121221829,131072 /prefetch:2
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1804,i,12630071969592410459,8424561871121221829,131072 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1804,i,12630071969592410459,8424561871121221829,131072 /prefetch:8
  2⤵
  PID:324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1804,i,12630071969592410459,8424561871121221829,131072 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1804,i,12630071969592410459,8424561871121221829,131072 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3824 --field-trial-handle=1804,i,12630071969592410459,8424561871121221829,131072 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 --field-trial-handle=1804,i,12630071969592410459,8424561871121221829,131072 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 --field-trial-handle=1804,i,12630071969592410459,8424561871121221829,131072 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5164 --field-trial-handle=1804,i,12630071969592410459,8424561871121221829,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1012

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
931B

MD5
4a24e90bd42ee7fad395bdf1fb8f666c

SHA1
586afc15d42e646d85a01779772b9597964bc1c0

SHA256
8b08146031c9dc158dfa47daac0cc2ea42c81fbb25830445eca43ae4ebe112cf

SHA512
a84451f0fb9e5486a9e9648cf448519e5534697a9e49472afd205a2008e9531ca68e3ad39fb2cfcc149443b3cede0534fe954a1258101c3f922997921dcecdb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
17dd6ea684d4a79893bb596116a05b68

SHA1
7396780fdf3fbdac6b683323b81b36a41bb04995

SHA256
568fdd7ef5fa69f18e68f27cd8ac39d9d953dd3fbbb6678d9b251d0e1b4f6a02

SHA512
55496687b17b429222bb4f2871b910adcf5b02698da3430919f7a7a813a2b40bb66382875ef0ee11cf738a71364d42c8f323209c2b5e418b287e0d6746b6006d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
39bf55710e1fa8f81a36600a491ca6a5

SHA1
dbb02dee3039424f2d6ac320b6ec5c2cf29b0b86

SHA256
83cb84f6c89ba62ef45e8e52cb265c72bde48fb9af7048338db4b31c0598eb6a

SHA512
6daa0dec5e4481cef780d991d8c77db6ef9ddbceb08cd4a7147e430712664d62468143ee725a040400f78677172d2c1c2ea4871bcfaca0d72762a79266006007

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
11274531b16e22232194e56c38b80904

SHA1
2f2b789c753320023f69241df5e4cf31dae6e458

SHA256
f60825b5b6b64eb083ff778da45a2718aa9de20fc87ba17a8e4270adc3e22212

SHA512
b1f7db3cb052194c26ab8d9495059c058f7cc3d448ff69955977b084d84265531cafe3e36bab3973e96cbaf84a49bd90c2f88e7ba4442d048a7f8d362439e199

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f03a214031a206853d310462409469ad

SHA1
9a5ceb54f0aaa8742aaa413546e5551156d57c03

SHA256
c82a816a973f5252f3b30972482718840f188b2a9bb5f18e6cc3f1f0325baff0

SHA512
37b186e303b59f8b5d34eef7de033aecf727ac9db307213a03f2f8318bf22a2a77534009495a15b1865072409342d9d3bf05054cdb0b007fbc969dd0eb965766

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
147KB

MD5
4e606286b8929dbadbb241ddea6ad7ab

SHA1
a9dd9add625f24757439db6691e2b02200db9259

SHA256
463b3f28b24e0a001197026dba8a500269b03b16467d24a6e4f5801fbd573c82

SHA512
a364d33557519d2b84397cccec0117797d1f0129f99ebc0d2b3150706c63d8f6b980d2ce375a27c2dbd78aa9217db54c1458399dd616972ca165ca955aa06f01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit