e4e84e4c05fcabc3248a398ff3b4d14794f0c7591e192b3bfdb4ab3c9c1cd9ab

Analysis

max time kernel
61s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aurora/web/index.html
Size

74B
MD5

7f2ecdbcb581b2ed6da4d8d3156b2558
SHA1

4dbe1386aea5d0f1644db64eff3f5f6b05e8ade7
SHA256

87635864b24fd38a1fce814301b4ebef9addc96caca2c0783f8a74412d8071ea
SHA512

a7a33a20693a05ac90d2400383926f567bb865ce9e61d765ef7ca0f6ffa99c9f5bde11282a86e5632058cda5c0d35d5ea899ac391b3e4dd0734df0fe26ed4ed0

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133290099453051233"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

536 chrome.exe
536 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

536 chrome.exe
536 chrome.exe
536 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 536 wrote to memory of 5100	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 5100	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2164	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3696	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3696	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 1904	536	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\Aurora\web\index.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae08a9758,0x7ffae08a9768,0x7ffae08a9778
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1804,i,10078212254418891911,8645337636683955763,131072 /prefetch:2
2⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1804,i,10078212254418891911,8645337636683955763,131072 /prefetch:8
2⤵
PID:3696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1296 --field-trial-handle=1804,i,10078212254418891911,8645337636683955763,131072 /prefetch:8
2⤵
PID:1904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1804,i,10078212254418891911,8645337636683955763,131072 /prefetch:1
2⤵
PID:2108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1804,i,10078212254418891911,8645337636683955763,131072 /prefetch:1
2⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4460 --field-trial-handle=1804,i,10078212254418891911,8645337636683955763,131072 /prefetch:1
2⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1804,i,10078212254418891911,8645337636683955763,131072 /prefetch:8
2⤵
PID:3416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1804,i,10078212254418891911,8645337636683955763,131072 /prefetch:8
2⤵
PID:1680

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
eeebfa8fdd1940babde968bb3d2f5dcd

SHA1
809af4c57b32977bee49cf52ea03f434f9e37790

SHA256
0db34adc02f4641a01ffbae95d963af6b8c8d1b9b052b83179281b7cab4c8a0b

SHA512
66b0fdc4c581ee2ecec043be7e6677b299cafa6399394fb06ec9f63297bd0900acb7e9f88c169ba7596c294e1ccb42e8f21c9f7c9156dd2fe49ae7a5c862d3e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
c5b1aa8f9f9ec8489e7ed353a6260815

SHA1
77ee1cf6bd1a5b1f04b67b7f7842a530770bd3f7

SHA256
4e1ae1fcb13c62745ef4c6245ecff8cb3397cea26ad26dbe40466e62644a0173

SHA512
404fa9a6cda7fa031675cb969e6e277187efe838500f15e3a2598550c15f97b255490f23a4fa1cf79f2866feab9fccedab425000ec69331f0e116e567f4145a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
151KB

MD5
fd6a2029b080ba5cd6f2d2dc167b7653

SHA1
355f391f3d2502f83940e174df28f73b6ccb1cb5

SHA256
abd0ce0ed5716a206bc1e3681b58bb5b609273b3f35592b9967209c9320dfc6b

SHA512
58165ea0bb8f03e3413763c804efaa09f435d0e63401c3b7591e1cc530b77ae6155005bdd9d70a5f4e8ccb5c4324d4fb98ca864b06302447d35e64ce41c17958

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_536_CFOLWFIFAQCUGKTD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit