hxxps://blog[.]mcarthurbs[.]net/c/llrjnm6/5fg859qa/oayu4zoabiw

Analysis

max time kernel
59s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 08:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://blog.mcarthurbs.net/c/llrjnm6/5fg859qa/oayu4zoabiw

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133288784912195663"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3048	chrome.exe
3048	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: 33	3908	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3908	AUDIODG.EXE
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe
Token: SeShutdownPrivilege	3048	chrome.exe
Token: SeCreatePagefilePrivilege	3048	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe
3048	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2852	3048	chrome.exe	85
PID 3048 wrote to memory of 2852	3048	chrome.exe	85
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 2828	3048	chrome.exe	86
PID 3048 wrote to memory of 956	3048	chrome.exe	87
PID 3048 wrote to memory of 956	3048	chrome.exe	87
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88
PID 3048 wrote to memory of 2088	3048	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://blog.mcarthurbs.net/c/llrjnm6/5fg859qa/oayu4zoabiw
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad1eb9758,0x7ffad1eb9768,0x7ffad1eb9778
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1764,i,3727116831411755483,7853421968668185141,131072 /prefetch:2
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1764,i,3727116831411755483,7853421968668185141,131072 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1764,i,3727116831411755483,7853421968668185141,131072 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3152 --field-trial-handle=1764,i,3727116831411755483,7853421968668185141,131072 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1764,i,3727116831411755483,7853421968668185141,131072 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4856 --field-trial-handle=1764,i,3727116831411755483,7853421968668185141,131072 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4984 --field-trial-handle=1764,i,3727116831411755483,7853421968668185141,131072 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3452 --field-trial-handle=1764,i,3727116831411755483,7853421968668185141,131072 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5148 --field-trial-handle=1764,i,3727116831411755483,7853421968668185141,131072 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5528 --field-trial-handle=1764,i,3727116831411755483,7853421968668185141,131072 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 --field-trial-handle=1764,i,3727116831411755483,7853421968668185141,131072 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 --field-trial-handle=1764,i,3727116831411755483,7853421968668185141,131072 /prefetch:8
  2⤵
  PID:636

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4752

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\90a47a29-1c64-4d57-8327-fa462283c1e6.tmp

Filesize
5KB

MD5
37b65c0dee56febb25cdac10ce8325ae

SHA1
19a8d1f00d298e964bdf2eea70da7b4cc34b67b6

SHA256
711af2172c6dbce8b86617eecbb46d1b1d2c903eedc052eb376f59d36717d430

SHA512
2536fbca701ca1f22996dd8f6be600eaf7d14725f54fdaf4564a701afbab2e39ff9ff25794c39a9391aa671ee52419d9444bf012c7d6d79358eecfba7743e5a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
79b34de10c1bf7f27b20feb527a83e1d

SHA1
80c2b46932593871fef7231cbd281f03a807b76b

SHA256
009acf1dc87ff770742046252bd0f31ff72a7ca98a0528dcc7f5b499b01a9040

SHA512
eff7fcc8d3b8bb0dad492c226fadaa4126d848cb6232690b60bd91ddba6151560afb203556dec4d1c9a43d2a75f027f1c4de4ed2d6b4a58968eeabf6aab54ece

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1d9cc0f60d2ef9ae70a7bd9fd10d7b1e

SHA1
095792c14887c098f1d2982ac218c6868855b579

SHA256
0e0f977bbf6bf19abd2b6a40de027e514edb1e77074b63e702132a68becfaa57

SHA512
99940aab45c102676e60b3a1e03cab8b9c344156a3cd8eadbc1a22fcf1b0bdc5ffc9c77b06d894dc84a87ce4204f40a520a593458de5acf7cb016be4e9df00e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
f67c43ff86b0571eca5b754258b293c8

SHA1
995fc9bc38a5cb9eaac8ee937cf887d70d84d065

SHA256
8efe4ebbf8cc6611b203aae28620d2e0d25765b1b8fbd3a141c0a93f60f136d3

SHA512
2e83e8eb4e9ecadccbf06c7ac29ce960ffe38c1a25e81f4c40e9ff12fb7d5cc262e202447604c21cea1efe7c43103b2e5d3714e5e52f544cd86f5c3474781a9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
9434287f5a1a76aded48bccb6e06ad61

SHA1
ea94e17b7a29a02826a39c40df855d9634630bed

SHA256
e31615ad92618aeaf5576c35a3d94efa91cae83c626c7ff2b6b48c4b2fe82e37

SHA512
69b9f906c192262ba8253a21d5e1578086cb476725bcf7e0a08d6d738d235cc4efb0456ee909aaa280770f50d865ee61499b436efb3008578e74d2a88d61d4c1

Download Submit