e4e84e4c05fcabc3248a398ff3b4d14794f0c7591e192b3bfdb4ab3c9c1cd9ab

Analysis

max time kernel
63s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aurora/web/statistic.html
Size

10KB
MD5

72208f63646db492311708c3d1561516
SHA1

d9997465b824b261cfe5a70ce1aa857e383f0991
SHA256

f1ba92ae32fcaeea8148298f4869aef9bcd4e85781586b69c83a830b213d3d3c
SHA512

67b0186c8c770a66d983f1b8795f7821773e9defb9bb632c2f68af4c7d1b6bf09497026ec244f4f95bfa6be312ce00edfaec904083afcec568891257beb6e298
SSDEEP

192:M7oT3Mx2aMp/RdEYiYolNOVX2VasSG+EgxVX2VasSG+EgMOVX2VasSG+EgHden:McId+dEX5PasD+EgGasD+EgkasD+Eg9G

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133290171477073582"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4592 chrome.exe
4592 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4592 chrome.exe
4592 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe
Token: SeShutdownPrivilege	4592	chrome.exe
Token: SeCreatePagefilePrivilege	4592	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe
4592	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4592 wrote to memory of 4052	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 4052	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3764	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 2180	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 2180	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe
PID 4592 wrote to memory of 3976	4592	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\Aurora\web\statistic.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc98929758,0x7ffc98929768,0x7ffc98929778
2⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1832,i,9547442601039540306,13507349854138070639,131072 /prefetch:2
2⤵
PID:3764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1832,i,9547442601039540306,13507349854138070639,131072 /prefetch:8
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 --field-trial-handle=1832,i,9547442601039540306,13507349854138070639,131072 /prefetch:8
2⤵
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3192 --field-trial-handle=1832,i,9547442601039540306,13507349854138070639,131072 /prefetch:1
2⤵
PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1832,i,9547442601039540306,13507349854138070639,131072 /prefetch:1
2⤵
PID:2832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1832,i,9547442601039540306,13507349854138070639,131072 /prefetch:8
2⤵
PID:1088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 --field-trial-handle=1832,i,9547442601039540306,13507349854138070639,131072 /prefetch:8
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1832,i,9547442601039540306,13507349854138070639,131072 /prefetch:8
2⤵
PID:2292

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
61a669b1a3d0ff5c5f8255fed50983e9

SHA1
599e6304a1b58dc2b8e0737ec8ba9b1ae0e51662

SHA256
0c1b73ab5e7bc590463957ab8396758734c291a6f3e66f3d9b00b5327ab2b6e9

SHA512
730fdc4ebb092eb564198bd56f172d5fd9c66e444d04046cae299ac12da442bb3ca9d75f277328af60c5c900dcbb9c7f0649b4e90a70049ffb1b84f5e4971b0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
80ffda4763e17b5d6bbc78f4e8e59e3e

SHA1
bcdc6c2cba3e62eff0a69f55721d923f2a483a8f

SHA256
e84a900b319f1b568e457b048d5a580b6aac7f0f6e9487354090b4fe30f12be9

SHA512
076876e5077304f73ebf5ac1765791250f580e36b43bcc7dd11529bbea91b9186b9c6f1b0f6f5ce419d5ce9574b418f0e064e478da361f27f9aa264b9f4367f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
fd79ed569963939feda478f2f1c066c3

SHA1
ebcf682c2f5346759d13b649ae46a860c5d5cd63

SHA256
ba7a351f487fa9ac05d2cbe2817743a16d18b87a22224527847a68428f2c74da

SHA512
11782d66bfc18389268ba7eb2a6f9e3f169d23573505452accaa3f2ac8abfa695e3f29ccdac65e45d2657c36c0f3fcfc2960642dc045791304af04025a087704

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
d9883ce3ac0fbd839c9b725a8a5ad820

SHA1
ea3a21fac789f9ff07d00bf6aeb7953138ae463d

SHA256
13680ecde8eefcb77a928715cc5f330e86a80583232d8f2b37493fb547b11c9b

SHA512
1dda08d1ddaf54691f60c599548e696c8685b211773ec52698bb70145e3415b991665987c771c2770a64b9d19c84c0ec0d6dafd236d811e0db7c5c80a7133d55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
151KB

MD5
4062972403c86b797411440a6a9b395f

SHA1
b800884187d7f8f501cb7f82a2c829a11d84ce96

SHA256
cc10800bad6ae5e213bd069414483910952819763d2bb5f058de2c7d1e9bfac5

SHA512
b337044150ae2c5a39957ed7063ab945dce25f3a0108ebf807c28de0254c69d86d55fbe16bd696a340c48843859a43f8a1114ac4fd2d024852ffb7e9ae82028e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_4592_MCGRDDIDRZHJRBDG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit