e4e84e4c05fcabc3248a398ff3b4d14794f0c7591e192b3bfdb4ab3c9c1cd9ab

Analysis

max time kernel
71s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aurora/web/commands.html
Size

46KB
MD5

b471f17f6058643084420cf1beeda806
SHA1

540751cae241a1b2b25d4dd78f7d1f52967ca8d2
SHA256

e9cf3e7d2826fa488e7803d0d19240a23f93a7f007d66377beb1849c5d51c0af
SHA512

8630f6843d626426d1a00379d4da44d31998009699b9994c817401604a8752306d1e6002d51425e108f26c594ee43029806c85f6c5d2bed398f6f3407e6027a4
SSDEEP

384:6qlId+dEX5STyAbFE/2kAE1lp4a5D6l+XqhzpP7OSpEtrri4p+HarVbWQfiJQfi9:6IEXWWJ4aM+ZFQWbSgJn7sh2uCHIN

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133290171658293097"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

5108 chrome.exe
5108 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

5108 chrome.exe
5108 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 5108 wrote to memory of 2248	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 2248	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 4652	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 392	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 392	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe
PID 5108 wrote to memory of 3724	5108	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\Aurora\web\commands.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffaf85d9758,0x7ffaf85d9768,0x7ffaf85d9778
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1820,i,12716560101510189393,7727247524762750450,131072 /prefetch:2
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1820,i,12716560101510189393,7727247524762750450,131072 /prefetch:8
2⤵
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1820,i,12716560101510189393,7727247524762750450,131072 /prefetch:8
2⤵
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=1820,i,12716560101510189393,7727247524762750450,131072 /prefetch:1
2⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1820,i,12716560101510189393,7727247524762750450,131072 /prefetch:1
2⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1820,i,12716560101510189393,7727247524762750450,131072 /prefetch:8
2⤵
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1820,i,12716560101510189393,7727247524762750450,131072 /prefetch:8
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1820,i,12716560101510189393,7727247524762750450,131072 /prefetch:8
2⤵
PID:968

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
535B

MD5
22711aad3aa08d8b50d0528a30c1e3de

SHA1
34211a2443a59ffa65296d6c6d33503cbaa019a7

SHA256
29449a6a3be579774d6faeab9f7e716afdc03795cddbe4fd26dad05665530a4f

SHA512
af2771a9101031324d9cdd1d1c4e07e8c8ff6369941f31018020f88ca609d88aff51acbd01437388d346cd93ca00387864cc0cdfb2b520b60a1dadcf1cc9516b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
93c1068e6aad66dc8620aef969eac95b

SHA1
9cc540fc10d0f2f6c881c9298b3d77c2d4d93781

SHA256
bdb38d88e6f5d0e2ab7c91a68bb447fe0b221840907e9c8f022ef19aa6f73f30

SHA512
6eead45ee93504b3b4f04358d1d9381c25debfc02db090e53e4b7bc1d50b52ec8321fe60ebf67415b94d6f2a556da6ce97f4403c4dc92c770305139f177b1bf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
0b039a66a49bd6f4adef21243cd1bd73

SHA1
f8e136e674caa72ad85b149442adf9787ad21e37

SHA256
ebe495e98299848e65fa49e655b0abd6cd342398b73bbd0112aaf7100fefee4a

SHA512
994a5ee6f2001568dc75c1ae7e22cd62eb505f366c2ab678555765367c3058795db746474b3cf29d2daeb755386a529b7e44f75c31f0e160d10ce1fee476252c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
7206034ccde2a505315d4e417f6c7d26

SHA1
6b008e183501083336d0bf8f3912ab4dbb09a7d2

SHA256
365938774ee1b8a7c8ee63b64ccdf94d7402a499d2f59f094162b8f834da5793

SHA512
dbf553f315faaf3cb857b5cb20aedb039de25923164c4899a55c17a045c707fd4d48a6475c032bda532a73f3e694f2d7100bbcea7e343fd676727b1833c8cc22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
151KB

MD5
d885769cddceab670be773aa6b4d485a

SHA1
b836405dfc783dcc1f368fef67c6479be22e13f0

SHA256
c16afcc04196a547881006429db190bf2c321380789178ea6501d2ce776f34a4

SHA512
cdfebc6797c6b5f66c7cece19ebff27ac3e1c28b6834e3e380a28a72c6ac83bb65d4963840e0b325706f733058762fbef65489c07826632e9f234b37110ad122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_5108_YFZKCZDPLFLYWRNC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit