hxxps://touchvpn[.]net/

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2023 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://touchvpn.net/

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	wtfismyip.com
36	wtfismyip.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133286355590373577"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe
2548	chrome.exe
2548	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 1588	4052	chrome.exe	84
PID 4052 wrote to memory of 1588	4052	chrome.exe	84
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 1980	4052	chrome.exe	85
PID 4052 wrote to memory of 3124	4052	chrome.exe	86
PID 4052 wrote to memory of 3124	4052	chrome.exe	86
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87
PID 4052 wrote to memory of 2272	4052	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://touchvpn.net/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ff9a3da9758,0x7ff9a3da9768,0x7ff9a3da9778
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1828,i,12854324239939819587,16542240547786213916,131072 /prefetch:2
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1828,i,12854324239939819587,16542240547786213916,131072 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1828,i,12854324239939819587,16542240547786213916,131072 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3180 --field-trial-handle=1828,i,12854324239939819587,16542240547786213916,131072 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3160 --field-trial-handle=1828,i,12854324239939819587,16542240547786213916,131072 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1828,i,12854324239939819587,16542240547786213916,131072 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1828,i,12854324239939819587,16542240547786213916,131072 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2792 --field-trial-handle=1828,i,12854324239939819587,16542240547786213916,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2548

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\229e3610-e2fc-4510-a144-b3b14f5d0166.tmp

Filesize
5KB

MD5
c3a50c49f4650087547412e0998198ac

SHA1
cc27e8d86a3c0123396d96446ab7ffba4395ef44

SHA256
8a4d80fbe2317ae2c5936a82623a4e9e309740bcebba8c19f50d25edb6c51f51

SHA512
9c1f20517dcf93c3c5e98a31b9e4eb2a2ba45f2d3d04e09b03843eccb3be75175708148d6768556d936176d408f5fb8971b3de300bdd90182637a93d2372aea0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
5ee596352fe477ecf2daee49bca04eb0

SHA1
b74f6c45a567e901fb758331ee2717b3726d2cba

SHA256
bb02bb4eea0748ed2774ae73f41d2cf8b28228168128e64e95e5c9e503d63106

SHA512
e4679d5cdef3d9608778273681795aa5441ba3276cb2fbe0e73361a50c3e37322a3ff4b4cf6d2cb775dcc557c7ed24e752ba675adb21bc90a9a8e05888cee713

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d2383f83812855e19c13020fcbebf2e1

SHA1
1d47cf975e5e13b9189d56ac958a783d6ebf30f2

SHA256
83ceaf421065deb37ef644b39ca8c90f07a9dd48bb01960be0d10a76e65d5273

SHA512
cb834e381eef9ae99d55ffd70e024708e91ee226d23458111aed382ba9b51f65d62442da9fc2db522ad1b42239212a301981759b9b1a19e079c0f01caae6f758

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
548e1f1524bf9188eb633197aedd9825

SHA1
7a59697b3e68523e6386fc1543170e6c56dacdeb

SHA256
5bb9276d9304d86c14b705cb8b24d00d77a5af4ffb18130e57f817cd8633d71c

SHA512
8de3567ceec752725502f901f48359185a59e26f81a0e7441298299a4d753fd7388062105c52725019146f4cd1cd976b9845c58961c53c6c5aa005f1310fb322

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d2e316ea-8234-4acd-9e5f-bd7753fd9ded.tmp

Filesize
1KB

MD5
1235cf59f5fd3bb9787c87f4b795d7a1

SHA1
7d6e01a8cca95a0975e71b5d171fbb3982e4f80a

SHA256
7519d52e2ac82e619fa30e0e2cd45a3577428d93bcdb44dff596a59c0eebf665

SHA512
c0c8d2588fd34d9ee11c02a689a5f2fb1f580950715deee91f688e0ed7d235c41e4bb4c15d53f923261916d6dfe70470852f1410d572392711dff0e7b005b215

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
78c4b2117be51de695045b30fef4f9dd

SHA1
b6394c1edbe85d1a8f86dfc576ccd4d12caf297e

SHA256
700dc872c988093be445180465b63794d2ba79c892c00756349e7b19cadd2792

SHA512
20480d4bbf7ceedf3f3268164d102a79d9de924dcf24ad0e1ec0ab85a617a0068087bbb1ddb4cbed088e7bcff2236b82a61c7b3ec247c6432e19906ed320265f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1b53e56c03887f3131e34611c5ef517e

SHA1
5ff77831955989db46fdf653b8b1e477209b0218

SHA256
17e977bfc6f8e34471caa998e76e30534e6c41d77db60074d9f9d427f1f4252d

SHA512
25287189084337a9d437d0b445a6a9438fc020a69cd646f5235347a9115e318320dae6052e98c96158e92cda8bc4501dca2266c6124471ac48edac0962b4c5bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
42a1ed03a0b04a38f3b73fe9c5067aad

SHA1
9d6fad839b7bf6b599368c02d771d99b0390eaac

SHA256
a382bfe0033cd305c39f813241b236a871b5883ffc82926735a4d8589bb7e64d

SHA512
f8e1d1b4af035333cdc4fccaca3b1cbe1e3e3f5ffe6bc6d43b58dfab06ddfe88de6bf177afb6cf807b0ed176086f17d6419df48cf1e4ea1f97f3d2c14922344a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit