hxxps://academyofstorytelling[.]com/box/host18/admin/js/mp[.]php?ar=ZXhjZWw=&b64e=zrybuIvdse&b64u=vcgRHwYoK&conf=STzZnMglgE&call=BtYecKil

Analysis

max time kernel
150s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
05/05/2023, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://academyofstorytelling.com/box/host18/admin/js/mp.php?ar=ZXhjZWw=&b64e=zrybuIvdse&b64u=vcgRHwYoK&conf=STzZnMglgE&call=BtYecKil

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133277946202310083"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4080	chrome.exe
4080	chrome.exe
516	chrome.exe
516	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4080	chrome.exe
4080	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe
Token: SeShutdownPrivilege	4080	chrome.exe
Token: SeCreatePagefilePrivilege	4080	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe
4080	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 2560	4080	chrome.exe	66
PID 4080 wrote to memory of 2560	4080	chrome.exe	66
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3888	4080	chrome.exe	69
PID 4080 wrote to memory of 3784	4080	chrome.exe	68
PID 4080 wrote to memory of 3784	4080	chrome.exe	68
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70
PID 4080 wrote to memory of 4836	4080	chrome.exe	70

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://academyofstorytelling.com/box/host18/admin/js/mp.php?ar=ZXhjZWw=&b64e=zrybuIvdse&b64u=vcgRHwYoK&conf=STzZnMglgE&call=BtYecKil
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd93da9758,0x7ffd93da9768,0x7ffd93da9778
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 --field-trial-handle=1768,i,4493731409259514692,8825371940761029971,131072 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1768,i,4493731409259514692,8825371940761029971,131072 /prefetch:2
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 --field-trial-handle=1768,i,4493731409259514692,8825371940761029971,131072 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1768,i,4493731409259514692,8825371940761029971,131072 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1768,i,4493731409259514692,8825371940761029971,131072 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4708 --field-trial-handle=1768,i,4493731409259514692,8825371940761029971,131072 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1768,i,4493731409259514692,8825371940761029971,131072 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 --field-trial-handle=1768,i,4493731409259514692,8825371940761029971,131072 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4812 --field-trial-handle=1768,i,4493731409259514692,8825371940761029971,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:516

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
771B

MD5
49a98d05ded2a0f1791c1ee4f90d2e3c

SHA1
5cbf23e140301725ea0b28ef8444d45cba185179

SHA256
2fd054107c0ff4ce40ee781448e720df05dfadc1d1faff5ed16c0e21b550327a

SHA512
c4fe87066155c39c384650bc08f5f3fae35f38d89059445822b64ab102e8db6ad833679706be8a828a8ce1f67992170bda74d43e65459c7c9de089d131370d9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
31c9c432a07f3e8e39e6859f6d66c920

SHA1
b3ac58ea3383c3d24c182803a828efb724f27943

SHA256
89cb1821384da5a9c058f28b4f281be555705efeae0cd92e5e977f8bad51aa17

SHA512
418836f91aed216f9f4a364b463fd6a801371f3974d9d21c836c55dd5f947b0dc75e3d672eb35427c354a2a9ab6e5732c9cd774dc0743429c9fff8c8277d93bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cca1c74601b73ded8ea06d2948ac0b8a

SHA1
6a481cd4ae87670da0fd963d4f46aff5a5043bab

SHA256
6aaba88cfe73beb4b67567a8274bd5d7fc7887a2432449df09a269713d3c645b

SHA512
bcb63bf16651928832e26b4d64c00c489895303161c3d33b7555d18afab12130884a9b21bd32c544781f8674b3596f3cac3666b8d817724b29137fe71ff8707d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
41ad8ab3019602fab4917b992e25b951

SHA1
cd9ab4410bfc776fc78dbf48b6212ac67e709163

SHA256
c6654e1b9e77a891ab6a54bacc02bede8612fd92a6dec30f2d1620f0177f8193

SHA512
e35da10e7476e8a66ee9f5876b0f655aa518c051bf5126de3760eaac23c77165f90c5b7ba65394857d18cc02a330cbe1799821e239e8865f524507ce74477426

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
959f29d069bb924e1e594945aa4a7cbc

SHA1
13e1490959f6f3b6ccdf63e68efd024f2f6f118e

SHA256
b9e0090fc3b8ce13c935b5f03fc30f3c54b3d3c5da068485a69588b75869e9cc

SHA512
00703ffa148680381fd0b1ca0c35102a467e282a30697a57f50c0a8e3632c6298c30bbfdf2d87d5078e3a11ff6c8a04913c66a225fe7ae70a8cd04efb87b6263

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
148KB

MD5
aec50a4352b56422db10729742481d05

SHA1
51373ad092b9d4d19b10939a4f38ca81202916f1

SHA256
98cf5540338adc9fda4e01be4c4b595a4b1cedabe1e9d7b3501b25b3a42ce999

SHA512
1bf2a21b2dc8866934a60b12244cb682d0f5b8423dd2c9ac0e061f83617b180c20b7f5e5a8185ef2da02a7e98dd719e0d13acde80b93900dcda99e5110bd0e30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit