e4e84e4c05fcabc3248a398ff3b4d14794f0c7591e192b3bfdb4ab3c9c1cd9ab

Analysis

max time kernel
63s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aurora/web/ds.html
Size

55KB
MD5

76f09673ac96b4cbdc1a4271f6d3c44d
SHA1

ff366b0029b3725e720c7dcfd0872c5cac2b9e68
SHA256

1def6bdec3073990955e917f1da2339f1c18095d31cc12452b40da0bd8afd431
SHA512

dcd2d5003645a1e1363083abf9f171947c762254b272d937bdaeae58cedb56e54fed8ee37454b6cc028b50c1d3b3873c08372613d0dad259c2b5d31223f791a0
SSDEEP

768:rxEXGcWJX+ZFQWbBPeHPOhnwLw52uCHI8:rHcWAPhnj5xEI8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133290171480432830"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

60 chrome.exe
60 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

60 chrome.exe
60 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe
Token: SeShutdownPrivilege	60	chrome.exe
Token: SeCreatePagefilePrivilege	60	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe
60	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 60 wrote to memory of 3644	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 3644	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 380	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 320	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 320	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe
PID 60 wrote to memory of 4460	60	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\Aurora\web\ds.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:60

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe3b2e9758,0x7ffe3b2e9768,0x7ffe3b2e9778
2⤵
PID:3644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1800,i,11430620935903706518,989027550830317684,131072 /prefetch:2
2⤵
PID:380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1800,i,11430620935903706518,989027550830317684,131072 /prefetch:8
2⤵
PID:320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1800,i,11430620935903706518,989027550830317684,131072 /prefetch:8
2⤵
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1800,i,11430620935903706518,989027550830317684,131072 /prefetch:1
2⤵
PID:1980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1800,i,11430620935903706518,989027550830317684,131072 /prefetch:1
2⤵
PID:1300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1800,i,11430620935903706518,989027550830317684,131072 /prefetch:8
2⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1800,i,11430620935903706518,989027550830317684,131072 /prefetch:8
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1800,i,11430620935903706518,989027550830317684,131072 /prefetch:8
2⤵
PID:1428

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
5bf3df3a20efbf1fb363c2a84b9926ac

SHA1
abe340cec7aad19bc09f37df3acf63d0bd1476a2

SHA256
4cd5981391c79eff8c2c7b789c06b73a1ca640f3d76e36ff47c0436aaeac534e

SHA512
0c05372dc74ca3e28d587610ecfc744583ba417d2e84bfe8ddcefacd9ce3e60e1253df6e020a0a4100fca039b91ddca379865aaddfadaa99ca754b921c2a632b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
cc9d4ec223510deb05777ff1349d98f3

SHA1
34511a8491d1dc054769d9de2999d958f98aaf2e

SHA256
575d4851747ca71612409f043284410e2fe19dce87957bf604c307c4d65518e3

SHA512
7a408e814bff7147b89ff1c2434c979f026c3f1c4451c2a8d0eaf700a4532f9cc224b3b33718aaa927db993cae963eb67ba45c74b9f9999732fbf8b76abef94e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5cff40bfcdb0fdb7b74d16676d904b45

SHA1
d043380990b9eb9350a484c790744a20f021f7f5

SHA256
2e253d7c606c7f031085cd7fa6d5736d26e758b80a5f49589b10ee970bcfef25

SHA512
c16180faf740caf4848209d22d0e233021811dfa52babbd6f286c3f92513c6f8c3113b95e0f519cdaa1875c27f8b15ab96f02b164137aded242e5131058c1d75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
5da76f700aa29bd3d11aec956f172c07

SHA1
f8456fc61cb4f3582924d75426065c426f0f51b9

SHA256
5333f212224e8e9e54cb620f97c91b661ce1a18ed3551fbeed1a36dd80d1f565

SHA512
5d3d9031a26f6e33389a87b76e068c3d2b946fb8f2e2bed0bb9462192a02bfb7d861b82d9a2e77dd9534b60315ef84e1bd5547d6d783f74b10fa14950d89451c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
151KB

MD5
eeaade337cde4fb163dd9ceca0a1c01b

SHA1
ef75442ca8bde0693c141494f13a4b7c6bb4387c

SHA256
1f1428363f30b602689420c582f4cce0c69f0aba6d239f6eed42ab61530a00f0

SHA512
ee715994271a74dc924c4cf0fb690ed3c50c3b4829ce7c7b2d50d793b96df1629708057ff076d7ddc2e52d716ecac1bbefdfadf4ef0fc919f4f0769ebe67da66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_60_ZADBZHMZPSNRNHDE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit