hxxps://chinalinktrading[.]com/

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2023, 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://chinalinktrading.com/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133283513341067335"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
4776	chrome.exe
4776	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4120	5016	chrome.exe	84
PID 5016 wrote to memory of 4120	5016	chrome.exe	84
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 4024	5016	chrome.exe	85
PID 5016 wrote to memory of 2360	5016	chrome.exe	86
PID 5016 wrote to memory of 2360	5016	chrome.exe	86
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87
PID 5016 wrote to memory of 32	5016	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://chinalinktrading.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd62c99758,0x7ffd62c99768,0x7ffd62c99778
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1296,i,2162075241514683645,12525484988259361496,131072 /prefetch:2
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1296,i,2162075241514683645,12525484988259361496,131072 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1296,i,2162075241514683645,12525484988259361496,131072 /prefetch:8
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1296,i,2162075241514683645,12525484988259361496,131072 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3180 --field-trial-handle=1296,i,2162075241514683645,12525484988259361496,131072 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4728 --field-trial-handle=1296,i,2162075241514683645,12525484988259361496,131072 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1296,i,2162075241514683645,12525484988259361496,131072 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 --field-trial-handle=1296,i,2162075241514683645,12525484988259361496,131072 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1296,i,2162075241514683645,12525484988259361496,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4776

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
707B

MD5
d81d19d7b1364c48d3bd6b95f1f28bb4

SHA1
4fbe911d8eb7e2d48feef803da33823afef30ee7

SHA256
f2ae5f086439164625e90f6fcad9183e6abb7817dd25a48ac14beb89a8761f1a

SHA512
9a9b278b1ef47864f2d479e0b6f3348845142f9f19b2faa4eb415c3624aa7dc7a72969e2ebd6b7e6005b92a3d13664365b36102f0e855620fff74e93d731a87c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
978996ca1fee4c0291c6262ec4686d5d

SHA1
57ccba5b953dfd0115c68dc764b3c0af49661c5e

SHA256
5d6f3b8f26bb602eeb81a972bf7c4632b2bda037866979c13dee357f3841fbde

SHA512
599fe220b017d4e0cbaf0c6f15acdf338e09551eedc31f8eb3e59daea33c90802ff1c10b0ddf4a4ec2aed6fa434066fb714ba0b9f3e796c2eb4cce530340b2fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7bbca7fdf8d812b7814c73eed3e91a58

SHA1
dd4e74ef4243981805a7b0e4052aa10cae1185f9

SHA256
1d8fa7ce2a2e04adaefdb6e4441f6a3240285327b5d5a9b3281a86ac8fe13a76

SHA512
36a23531e561ec78b2b5b3472d60e5647b95b83bc7dcc993bf3357f62f12899e73b3e24a5227b93caaf512f0c8a1cab324d2b9f1a3300e6863cff0556e5abdff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a0fadc412ee36fbf52a919658da7cba8

SHA1
12b915a8a40f8952b42473d0a841b9bd62075b3b

SHA256
62af7b61c8a9a22e2d738a72f6342bb94bc5cf24492f683547780fc7fa96da6b

SHA512
8059ae11f8c083d0ce32972c2039e4b2639ca5e69aca5add8938660c585619488189c593b38ab6404699b1a2738e0c9f61300dcfd0b067a5ec48ecd78173cdc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
149KB

MD5
3da5beb749aaa8a509b92c987b6faa55

SHA1
a6a3101a2045a7720410f5655ab7daa2f64cac59

SHA256
5e9c5026ee72c5b68aa14d4b1d7830189d695e28bae1be626117391d0a06f16f

SHA512
6881969a3b72df83cefd794bd6b53986f412563e1a4cbc0ad4d6006b38734c8fb35d0ae1af7703d3a9777270280332ecae22cdcbb31927de5fc33986aedb64f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit